Miggo Logo

CVE-2018-8073: yii2-redis Potential Remote code execution

9.8

CVSS Score
3.0

Basic Information

EPSS Score
0.75496%
Published
5/14/2022
Updated
4/24/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
yiisoft/yii2-rediscomposer< 2.0.82.0.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The advisory explicitly names these methods as vulnerable vectors. They handle user input that gets embedded into Redis LUA scripts without proper validation(). Since Redis executes LUA scripts in a sandbox with limited capabilities, improper input sanitization in these ActiveRecord methods could allow attackers to break out of intended query logic and execute arbitrary operations. The CWE-94 classification confirms this is a code injection scenario where attacker-controlled data influences script execution.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Pot*nti*l r*mot* *o** *x**ution in LU* *ont*xt o* t** r**is s*rv*r vi* m*t*o*s `yii\r**is\**tiv*R**or*::*in*On*()` *n* `yii\r**is\**tiv*R**or*::*in**ll()` in yiiso*t/yii*-r**is. *tt**k*rs *oul* pro***ly m*nipul*t* **t* on t** r**is s*rv*r.

Reasoning

T** **visory *xpli*itly n*m*s t**s* m*t*o*s *s vuln*r**l* v**tors. T**y **n*l* us*r input t**t **ts *m****** into `R**is` LU* s*ripts wit*out prop*r `v*li**tion()`. Sin** `R**is` *x**ut*s LU* s*ripts in * s*n**ox wit* limit** **p**iliti*s, improp*r i