CVE-2023-37473 - Vulnerability Details - OpenCVE

zenstruck/collections is a set of helpers for iterating/paginating/filtering collections. Passing _callable strings_ (ie `system`) caused the function to be executed. This would result in a limited subset of specific user input being executed as if it were code. This issue has been addressed in commit `f4b1c48820` and included in release version 0.2.1. Users are advised to upgrade. Users unable to upgrade should ensure that user input is not passed to either `EntityRepository::find()` or `query()`.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Zenstruck	Collection

Configuration 1 [-]

cpe:2.3:a:zenstruck:collection:0.2.1:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/zenstruck/collection/commit/f4b1c488206e1b1581b06fcd331686846f13f19c
https://github.com/zenstruck/collection/releases/tag/v0.2.1
https://github.com/zenstruck/collection/security/advisories/GHSA-7xr2-8ff7-6fjq

History

Fri, 18 Oct 2024 18:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:zenstruck:collection::::::::
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-07-14T20:00:16.909Z

Updated: 2024-10-18T17:42:36.436Z

Reserved: 2023-07-06T13:01:36.998Z

Link: CVE-2023-37473

Vulnrichment

Updated: 2024-08-02T17:16:30.334Z

NVD

Status : Modified

Published: 2023-07-14T21:15:09.047

Modified: 2024-11-21T08:11:47.053

Link: CVE-2023-37473

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-37473", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-07-06T13:01:36.998Z", "datePublished": "2023-07-14T20:00:16.909Z", "dateUpdated": "2024-10-18T17:42:36.436Z"}, "containers": {"cna": {"title": "Limited code execution in zenstruck/collections", "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/zenstruck/collection/security/advisories/GHSA-7xr2-8ff7-6fjq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zenstruck/collection/security/advisories/GHSA-7xr2-8ff7-6fjq"}, {"name": "https://github.com/zenstruck/collection/commit/f4b1c488206e1b1581b06fcd331686846f13f19c", "tags": ["x_refsource_MISC"], "url": "https://github.com/zenstruck/collection/commit/f4b1c488206e1b1581b06fcd331686846f13f19c"}, {"name": "https://github.com/zenstruck/collection/releases/tag/v0.2.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/zenstruck/collection/releases/tag/v0.2.1"}], "affected": [{"vendor": "zenstruck", "product": "collection", "versions": [{"version": "< 0.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-07-14T20:00:16.909Z"}, "descriptions": [{"lang": "en", "value": "zenstruck/collections is a set of helpers for iterating/paginating/filtering collections. Passing _callable strings_ (ie `system`) caused the function to be executed. This would result in a limited subset of specific user input being executed as if it were code. This issue has been addressed in commit `f4b1c48820` and included in release version 0.2.1. Users are advised to upgrade. Users unable to upgrade should ensure that user input is not passed to either `EntityRepository::find()` or `query()`."}], "source": {"advisory": "GHSA-7xr2-8ff7-6fjq", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:16:30.334Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/zenstruck/collection/security/advisories/GHSA-7xr2-8ff7-6fjq", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/zenstruck/collection/security/advisories/GHSA-7xr2-8ff7-6fjq"}, {"name": "https://github.com/zenstruck/collection/commit/f4b1c488206e1b1581b06fcd331686846f13f19c", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/zenstruck/collection/commit/f4b1c488206e1b1581b06fcd331686846f13f19c"}, {"name": "https://github.com/zenstruck/collection/releases/tag/v0.2.1", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/zenstruck/collection/releases/tag/v0.2.1"}]}, {"affected": [{"vendor": "zenstruck", "product": "collection", "cpes": ["cpe:2.3:a:zenstruck:collection:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "0.2.1", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-18T17:31:12.675933Z", "id": "CVE-2023-37473", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-18T17:42:36.436Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/zenstruck/collection/security/advisories/GHSA-7xr2-8ff7-6fjq", "name": "https://github.com/zenstruck/collection/security/advisories/GHSA-7xr2-8ff7-6fjq", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/zenstruck/collection/commit/f4b1c488206e1b1581b06fcd331686846f13f19c", "name": "https://github.com/zenstruck/collection/commit/f4b1c488206e1b1581b06fcd331686846f13f19c", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/zenstruck/collection/releases/tag/v0.2.1", "name": "https://github.com/zenstruck/collection/releases/tag/v0.2.1", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:16:30.334Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-37473", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-10-18T17:31:12.675933Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:zenstruck:collection:*:*:*:*:*:*:*:*"], "vendor": "zenstruck", "product": "collection", "versions": [{"status": "affected", "version": "0", "lessThan": "0.2.1", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-18T17:42:31.549Z"}}], "cna": {"title": "Limited code execution in zenstruck/collections", "source": {"advisory": "GHSA-7xr2-8ff7-6fjq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "zenstruck", "product": "collection", "versions": [{"status": "affected", "version": "< 0.2.1"}]}], "references": [{"url": "https://github.com/zenstruck/collection/security/advisories/GHSA-7xr2-8ff7-6fjq", "name": "https://github.com/zenstruck/collection/security/advisories/GHSA-7xr2-8ff7-6fjq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/zenstruck/collection/commit/f4b1c488206e1b1581b06fcd331686846f13f19c", "name": "https://github.com/zenstruck/collection/commit/f4b1c488206e1b1581b06fcd331686846f13f19c", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/zenstruck/collection/releases/tag/v0.2.1", "name": "https://github.com/zenstruck/collection/releases/tag/v0.2.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "zenstruck/collections is a set of helpers for iterating/paginating/filtering collections. Passing _callable strings_ (ie `system`) caused the function to be executed. This would result in a limited subset of specific user input being executed as if it were code. This issue has been addressed in commit `f4b1c48820` and included in release version 0.2.1. Users are advised to upgrade. Users unable to upgrade should ensure that user input is not passed to either `EntityRepository::find()` or `query()`."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-07-14T20:00:16.909Z"}}}, "cveMetadata": {"cveId": "CVE-2023-37473", "state": "PUBLISHED", "dateUpdated": "2024-10-18T17:42:36.436Z", "dateReserved": "2023-07-06T13:01:36.998Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-07-14T20:00:16.909Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zenstruck:collection:0.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "E1467BC0-DA70-402B-A066-205A6D03F1A8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "zenstruck/collections is a set of helpers for iterating/paginating/filtering collections. Passing _callable strings_ (ie `system`) caused the function to be executed. This would result in a limited subset of specific user input being executed as if it were code. This issue has been addressed in commit `f4b1c48820` and included in release version 0.2.1. Users are advised to upgrade. Users unable to upgrade should ensure that user input is not passed to either `EntityRepository::find()` or `query()`."}], "id": "CVE-2023-37473", "lastModified": "2024-11-21T08:11:47.053", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-07-14T21:15:09.047", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/zenstruck/collection/commit/f4b1c488206e1b1581b06fcd331686846f13f19c"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/zenstruck/collection/releases/tag/v0.2.1"}, {"source": "security-advisories@github.com", "tags": ["Mitigation"], "url": "https://github.com/zenstruck/collection/security/advisories/GHSA-7xr2-8ff7-6fjq"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/zenstruck/collection/commit/f4b1c488206e1b1581b06fcd331686846f13f19c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/zenstruck/collection/releases/tag/v0.2.1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation"], "url": "https://github.com/zenstruck/collection/security/advisories/GHSA-7xr2-8ff7-6fjq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "security-advisories@github.com", "type": "Secondary"}]}