CVE-2020-5220

Name of the Vulnerable Software and Affected Versions Sylius ResourceBundle versions prior to 1.3.13 Sylius ResourceBundle versions 1.3.0 through 1.3.12 Sylius ResourceBundle versions 1.4.0 through 1.4.5 Sylius ResourceBundle versions 1.5.0 Sylius ResourceBundle versions 1.6.0 through 1.6.2

Description The issue arises from Sylius ResourceBundle accepting and using any serialisation groups passed via an HTTP header, potentially leading to data exposure by using an unintended serialisation group. For example, it could make Shop API use a more permissive group from Admin API. Anyone exposing an API with ResourceBundle's controller is affected. The vulnerability also involves the ability to switch channels via the channel code GET parameter in production environments due to a configuration issue.

Recommendations For Sylius ResourceBundle versions prior to 1.3.13, update to version 1.3.13 or newer. For Sylius ResourceBundle versions 1.3.0 through 1.3.12, update to version 1.3.13 or newer. For Sylius ResourceBundle versions 1.4.0 through 1.4.5, update to version 1.4.6 or newer. For Sylius ResourceBundle version 1.5.0, update to version 1.5.1 or newer. For Sylius ResourceBundle versions 1.6.0 through 1.6.2, update to version 1.6.3 or newer. As a temporary workaround for unsupported versions, consider adding the configuration sylius channel: debug: false to prevent the debug feature from being enabled. Service sylius.resource controller.request configuration factory can be overridden to prevent the use of custom serialisation groups via the HTTP header.