Component Type: PECL YAML parser
Vulnerability Type: remote code execution
Severity: low
Affected Versions: All Flow versions
Suggested CVSS: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N/E:H/RL:W/RC:C
CVE: n/a
No exploit is known yet, and there is no way to exploit it in a default Flow or Neos installation as you would have to have access to the filesystem to do so. Therefore the severity is low and we don't plan a bugfix from our side, see below for checking if you are affected and how to mitigate the problem.
Due to PHP object deserialisation enabled by default an attacker with access to modify YAML files could possibly create PHP objects.
See also http://php.net/manual/en/function.yaml-parse.php#refsect1-function.yaml-parse-notes
See also this PHP bug report: https://bugs.php.net/bug.php?id=69617
Am I affected?
- Do you use the PECL YAML PHP extension? if no, you are not affected.
- Did you already disable object deserialisation? If you disabled it, you are not affected.
To test if you are affected you can run the following code which will either print "affected!" or "not affected" depending on the status of your system:
<?php
$affected = extension_loaded('yaml') && ini_get('yaml.decode_php');
echo ($affected ? 'affected!' : 'not affected');
Fixing the Issue
To fix the issue, you can either disable the PHP extension completely or set the following configuration setting in your php.ini to disable object deserialisation:
yaml.decode_php = 0
See http://php.net/manual/en/yaml.configuration.php#ini.yaml.decode-php for more information abut this setting.
Getting Help
In case you are unsure about the issue, don't hesitate to contact the Neos team on Slack (#flow-general) or through the other communication channels!