CVE-2020-5220

MEDIUM

Sylius ResourceBundle 1.3.0-1.3.12, 1.4.0-1.4.5, 1.5.0, 1.6.0-1.6.2 - Data Exposure via Serialization Group HTTP Header

Title source: llm

Description

Sylius ResourceBundle accepts and uses any serialisation groups to be passed via a HTTP header. This might lead to data exposure by using an unintended serialisation group - for example it could make Shop API use a more permissive group from Admin API. Anyone exposing an API with ResourceBundle's controller is affected. The vulnerable versions are: <1.3 || >=1.3.0 <=1.3.12 || >=1.4.0 <=1.4.5 || >=1.5.0 <=1.5.0 || >=1.6.0 <=1.6.2. The patch is provided for Sylius ResourceBundle 1.3.13, 1.4.6, 1.5.1 and 1.6.3, but not for any versions below 1.3.

References (2)

Core 2

Core References

Third Party Advisory x_refsource_confirm

https://github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-8vp7-j5cj-vvm2

Third Party Advisory x_refsource_misc

https://github.com/FriendsOfPHP/security-advisories/blob/master/sylius/resource-bundle/CVE-2020-5220.yaml

View Writeup ZIP pw:eip

Scores

CVSS v3 4.4

EPSS 0.0074

EPSS Percentile 49.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-444 CWE-200

Status published

Products (4)

sylius/resource-bundle 1.4.0 - 1.4.6Packagist

sylius/sylius 0 - 1.3.12Packagist

sylius/syliusresourcebundle 1.5.0

sylius/syliusresourcebundle 1.3.0 - 1.3.12

Published Jan 27, 2020

Tracked Since Feb 18, 2026