[GHSA-g8pg-33v4-9r96] Thelia authentication bypass vulnerability#8012
Conversation
|
👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the |
|
Hi @RainSignal, this PR is being merged agree with the decision to change the lower bound. I think it's possible that Two lines of code from the fix commit thelia/thelia@028cfcf were introduced in two different commits. As you pointed out, thelia/thelia@71c1cee introduced thelia/thelia@a4ad03c introduced My hypothesis is that the author https://web.archive.org/web/20160502224630/http://thelia.net/version-2-1-3-with-security-fix intended to type Thanks for the PR and gave a good weekend! |
edbe3c1
into
RainSignal/advisory-improvement-8012
|
Hi @RainSignal! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
Updates
Comments
The advisory states the vulnerability is present from 2.1.0-beta1,
but code review shows this is incorrect. We examined the file
TokenProvider.php across multiple versions and confirmed the
vulnerable unserialize() code exists in all of them:
https://github.com/thelia/thelia/blob/2.0.0-RC1/core/lib/Thelia/Core/Security/Token/TokenProvider.php
https://github.com/thelia/thelia/blob/2.0.12/core/lib/Thelia/Core/Security/Token/TokenProvider.php
https://github.com/thelia/thelia/blob/2.1.0-alpha2/core/lib/Thelia/Core/Security/Token/TokenProvider.php
Since 2.0.0-RC1 is the earliest version we checked and already
contains the vulnerable code, the affected version range should
be updated to >= 2.0.0-RC1. The true introduction point may be
even earlier, but we could not confirm versions prior to 2.0.0-RC1.
Therefore, the affected versions should be changed from
">= 2.1.0-beta1, < 2.1.3" to "< 2.1.3".