N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-vh6j-wv25-8qxr

EPSS Score

CWE

Published

6/5/2024

Updated

6/5/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-vh6j-wv25-8qxr

GHSA-vh6j-wv25-8qxr: Flow Bugfix Releases for Entity Security

If you had used entity security and wanted to secure entities not just based on the user's role, but on some property of the user (like the company he belongs to), entity security did not work properly together with the doctrine query cache. This could lead to other users re-using SQL queries from the cache which were built for other users; and thus users could see entities which were not destined for them.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-vh6j-wv25-8qxr

GHSA-vh6j-wv25-8qxr:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-vh6j-wv25-8qxr

EPSS Score

CWE

Published

6/5/2024

Updated

6/5/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
typo3/flow	composer	>= 3.0.0, < 3.0.12	3.0.12
typo3/flow	composer	>= 3.1.0, < 3.1.10	3.1.10
typo3/flow	composer	>= 3.2.0, < 3.2.13	3.2.13
typo3/flow	composer	>= 3.3.0, < 3.3.13	3.3.13
typo3/flow	composer	>= 4.0.0, < 4.0.6	4.0.6

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper handling of user-specific parameters in Doctrine query caching. The advisory explicitly warns against setting parameters inside addFilterConstraint(), as this bypasses proper cache key differentiation. User-specific security constraints (like company affiliation) were not included in the cache key, allowing cached queries from one user to be reused for another. While the core fix involves implementing CacheAwareInterface in global objects, the direct vulnerable pattern occurs in custom SQL filters where parameters are set internally, making addFilterConstraint() the most specific identifiable vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-vh6j-wv25-8qxr: Flow Bugfix Releases for Entity Security

GHSA-vh6j-wv25-8qxr:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

GHSA-vh6j-wv25-8qxr: Flow Bugfix Releases for Entity Security

N/A

N/A

Basic Information

Basic Information

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI