Miggo Logo

CVE-2023-37473: zenstruck/collection passing callable string to EntityRepository::find() and query()

8.6

CVSS Score
3.1

Basic Information

EPSS Score
0.3369%
Published
7/14/2023
Updated
11/10/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
zenstruck/collectioncomposer< 0.2.10.2.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from accepting callable strings in find() and query() methods. The patch added && \is_object($specification) to the is_callable() checks, explicitly preventing string-based callables. The commit diff shows these methods were modified in EntityRepository.php, and tests were added to verify rejection of callable strings like 'system'. The CWE-74 classification confirms this is an injection vulnerability through improper input validation in these methods.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t P*ssin* _**ll**l* strin*s_ (i* `syst*m`) **us** t** *un*tion to ** *x**ut**. ### P*t***s *ix** in [v*.*.*](*ttps://*it*u*.*om/z*nstru*k/*oll**tion/r*l**s*s/t**/v*.*.*). ### Work*roun*s *o not *llow p*ssin* us*r strin*s to `*ntityR*posito

Reasoning

T** vuln*r**ility st*mm** *rom ****ptin* **ll**l* strin*s in *in*() *n* qu*ry() m*t*o*s. T** p*t** ***** && \is_o*j**t($sp**i*i**tion) to t** is_**ll**l*() ****ks, *xpli*itly pr*v*ntin* strin*-**s** **ll**l*s. T** *ommit *i** s*ows t**s* m*t*o*s w*r*