CIVI-SA-2019-13: Harden against unserialize vulnerabilities

Published
2019-05-15 09:00
Written by

PHP libraries and applications sometimes have vulnerabilities in which an attacker may inappropriately request construction of an object. The patch in this release does not deal with a specific vulnerability. Rather, it is defense in depth -- it removes an escalation vector by which hypothetical vulnerabilities (in CiviCRM or a related PHP library/application) could become more severe.

Security Risk
Critical
Vulnerability
Other
Affected Versions

CiviCRM versions 5.13.0 and earlier

Fixed Versions

CiviCRM version 5.13.4 and 5.7.6

Solutions

Upgrade to the latest vesion of CiviCRM

Credits

Patrick Figel of Greenpeace for reporting the issue

Tim Otten of CiviCRM Core Team for fixing the issue

References

security/core#46