CVE-2020-15148

Description

### Impact Remote code execution in case application calls `unserialize()` on user input containing specially crafted string. ### Patches 2.0.38 ### Workarounds Add the following to BatchQueryResult.php: ```php public function __sleep() { throw new \BadMethodCallException('Cannot serialize '.__CLASS__); } public function __wakeup() { throw new \BadMethodCallException('Cannot unserialize '.__CLASS__); } ``` ### For more information If you have any questions or comments about this advisory, [contact us through security form](https://www.yiiframework.com/security).

How to fix CVE-2020-15148

To remediate CVE-2020-15148, upgrade the affected package to a fixed version below.

• —upgrade to 2.0.38 or later

Is CVE-2020-15148 being exploited?

Likely — EPSS is 93.4%, placing CVE-2020-15148 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

• from 0, < 2.0.38

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-15148
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/yiisoft/yii2/CVE-2020-15148.yaml
• WEBgithub.com/yiisoft/yii2/commit/9abccb96d7c5ddb569f92d1a748f50ee9b3e2b99
• WEBgithub.com/yiisoft/yii2/security/advisories/GHSA-699q-wcff-g9mj