CVE-2018-6009 - Vulnerability Details

Vendors	Products
Yiiframework	Yiiframework

Link	Providers
https://github.com/yiisoft/yii2/commit/6c0540aa2d6e0fe0fa89e4fd35bba4be5d6cece7

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-01-22T00:00:00", "descriptions": [{"lang": "en", "value": "In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-01-22T21:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/yiisoft/yii2/commit/6c0540aa2d6e0fe0fa89e4fd35bba4be5d6cece7"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-6009", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/yiisoft/yii2/commit/6c0540aa2d6e0fe0fa89e4fd35bba4be5d6cece7", "refsource": "CONFIRM", "url": "https://github.com/yiisoft/yii2/commit/6c0540aa2d6e0fe0fa89e4fd35bba4be5d6cece7"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T05:47:56.235Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/yiisoft/yii2/commit/6c0540aa2d6e0fe0fa89e4fd35bba4be5d6cece7"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-6009", "datePublished": "2018-01-22T22:00:00", "dateReserved": "2018-01-22T00:00:00", "dateUpdated": "2024-08-05T05:47:56.235Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : n/a (string)

vendor : n/a (string)

versions : [ »

0 : { »

status : affected (string)

version : n/a (string)

}

]

}

]

datePublic : 2018-01-22T00:00:00 (string)

descriptions : [ »

0 : { »

lang : en (string)

value : In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity. (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

description : n/a (string)

lang : en (string)

type : text (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2018-01-22T21:57:01 (string)

orgId : 8254265b-2729-46b6-b9e3-3dfca2d5bfca (string)

shortName : mitre (string)

}

references : [ »

0 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

]

url : https://github.com/yiisoft/yii2/commit/6c0540aa2d6e0fe0fa89e4fd35bba4be5d6cece7 (string)

}

]

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : cve@mitre.org (string)

ID : CVE-2018-6009 (string)

STATE : PUBLIC (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : n/a (string)

version : { »

version_data : [ »

0 : { »

version_value : n/a (string)

}

]

}

]

}

vendor_name : n/a (string)

}

]

}

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity. (string)

}

]

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : n/a (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : https://github.com/yiisoft/yii2/commit/6c0540aa2d6e0fe0fa89e4fd35bba4be5d6cece7 (string)

refsource : CONFIRM (string)

url : https://github.com/yiisoft/yii2/commit/6c0540aa2d6e0fe0fa89e4fd35bba4be5d6cece7 (string)

}

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-05T05:47:56.235Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

1 : x_transferred (string)

]

url : https://github.com/yiisoft/yii2/commit/6c0540aa2d6e0fe0fa89e4fd35bba4be5d6cece7 (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : 8254265b-2729-46b6-b9e3-3dfca2d5bfca (string)

assignerShortName : mitre (string)

cveId : CVE-2018-6009 (string)

datePublished : 2018-01-22T22:00:00 (string)

dateReserved : 2018-01-22T00:00:00 (string)

dateUpdated : 2024-08-05T05:47:56.235Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:yiiframework:yiiframework:2.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "0E54B667-316C-4443-AD6C-5CDB0BB2B7AD", "vulnerable": true}, {"criteria": "cpe:2.3:a:yiiframework:yiiframework:2.0.0:alpha:*:*:*:*:*:*", "matchCriteriaId": "4DC37B5E-CA70-46F5-BD57-B2960E56E02A", "vulnerable": true}, {"criteria": "cpe:2.3:a:yiiframework:yiiframework:2.0.0:beta:*:*:*:*:*:*", "matchCriteriaId": "3EFF01B0-E13F-4B2A-A1A8-312C5FAB2D4D", "vulnerable": true}, {"criteria": "cpe:2.3:a:yiiframework:yiiframework:2.0.0:rc:*:*:*:*:*:*", "matchCriteriaId": "C714F1E1-C752-47DF-B525-9F93E37E49F2", "vulnerable": true}, {"criteria": "cpe:2.3:a:yiiframework:yiiframework:2.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "F8EA5B61-014C-4F92-A6C1-5D77BD662EDD", "vulnerable": true}, {"criteria": "cpe:2.3:a:yiiframework:yiiframework:2.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "AAD2A68A-8308-4D13-A495-AEFD793861E3", "vulnerable": true}, {"criteria": "cpe:2.3:a:yiiframework:yiiframework:2.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "0B9F0C33-E986-4E3F-8048-2C7FFB167E27", "vulnerable": true}, {"criteria": "cpe:2.3:a:yiiframework:yiiframework:2.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "38E2AF50-03AA-440B-8F36-4E3FA52A237F", "vulnerable": true}, {"criteria": "cpe:2.3:a:yiiframework:yiiframework:2.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "88F14CC3-9A9C-48F5-BC06-17AE8E76A8BD", "vulnerable": true}, {"criteria": "cpe:2.3:a:yiiframework:yiiframework:2.0.6:*:*:*:*:*:*:*", "matchCriteriaId": "8BDED07C-2135-40D5-A6AA-4DC45646250D", "vulnerable": true}, {"criteria": "cpe:2.3:a:yiiframework:yiiframework:2.0.7:*:*:*:*:*:*:*", "matchCriteriaId": "374488D0-6418-41E9-9061-DFBB1819A350", "vulnerable": true}, {"criteria": "cpe:2.3:a:yiiframework:yiiframework:2.0.8:*:*:*:*:*:*:*", "matchCriteriaId": "5DE87E89-2E27-49A7-82DC-4A2EAD4FDF06", "vulnerable": true}, {"criteria": "cpe:2.3:a:yiiframework:yiiframework:2.0.9:*:*:*:*:*:*:*", "matchCriteriaId": "12AD2289-7B39-4E8E-9B9F-3D19AD2941B8", "vulnerable": true}, {"criteria": "cpe:2.3:a:yiiframework:yiiframework:2.0.10:*:*:*:*:*:*:*", "matchCriteriaId": "2200E2A0-B436-499A-A72A-B23115AE4FF0", "vulnerable": true}, {"criteria": "cpe:2.3:a:yiiframework:yiiframework:2.0.11:*:*:*:*:*:*:*", "matchCriteriaId": "A68A5D75-444D-47BF-B49D-08E81CE956B6", "vulnerable": true}, {"criteria": "cpe:2.3:a:yiiframework:yiiframework:2.0.11.1:*:*:*:*:*:*:*", "matchCriteriaId": "1225414E-4CB3-4A3C-94BD-FA9AA75B778A", "vulnerable": true}, {"criteria": "cpe:2.3:a:yiiframework:yiiframework:2.0.11.2:*:*:*:*:*:*:*", "matchCriteriaId": "EA7F265C-1EAB-4F9A-8D11-9F5CDE9D8F06", "vulnerable": true}, {"criteria": "cpe:2.3:a:yiiframework:yiiframework:2.0.12:*:*:*:*:*:*:*", "matchCriteriaId": "7E720459-C4D8-47E6-85C0-A8A1D90D40D9", "vulnerable": true}, {"criteria": "cpe:2.3:a:yiiframework:yiiframework:2.0.13:*:*:*:*:*:*:*", "matchCriteriaId": "6EDA0FFC-93DB-494D-B49A-0F2EA5DF7262", "vulnerable": true}, {"criteria": "cpe:2.3:a:yiiframework:yiiframework:2.0.13.1:*:*:*:*:*:*:*", "matchCriteriaId": "64C06D97-C4E3-4614-96A9-C5404B27B4EA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity."}, {"lang": "es", "value": "En Yii Framework 2.x en versiones anteriores a la 2.0.14, la funci\u00f3n switchIdentity en web/User.php no regener\u00f3 el token CSRF tras un cambio de identidad."}], "id": "CVE-2018-6009", "lastModified": "2024-11-21T04:09:52.810", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-01-22T22:29:00.207", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/yiisoft/yii2/commit/6c0540aa2d6e0fe0fa89e4fd35bba4be5d6cece7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/yiisoft/yii2/commit/6c0540aa2d6e0fe0fa89e4fd35bba4be5d6cece7"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:yiiframework:yiiframework:2.0.0:*:*:*:*:*:*:* (string)

matchCriteriaId : 0E54B667-316C-4443-AD6C-5CDB0BB2B7AD (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:a:yiiframework:yiiframework:2.0.0:alpha:*:*:*:*:*:* (string)

matchCriteriaId : 4DC37B5E-CA70-46F5-BD57-B2960E56E02A (string)

vulnerable : true (boolean)

}

2 : { »

criteria : cpe:2.3:a:yiiframework:yiiframework:2.0.0:beta:*:*:*:*:*:* (string)

matchCriteriaId : 3EFF01B0-E13F-4B2A-A1A8-312C5FAB2D4D (string)

vulnerable : true (boolean)

}

3 : { »

criteria : cpe:2.3:a:yiiframework:yiiframework:2.0.0:rc:*:*:*:*:*:* (string)

matchCriteriaId : C714F1E1-C752-47DF-B525-9F93E37E49F2 (string)

vulnerable : true (boolean)

}

4 : { »

criteria : cpe:2.3:a:yiiframework:yiiframework:2.0.1:*:*:*:*:*:*:* (string)

matchCriteriaId : F8EA5B61-014C-4F92-A6C1-5D77BD662EDD (string)

vulnerable : true (boolean)

}

5 : { »

criteria : cpe:2.3:a:yiiframework:yiiframework:2.0.2:*:*:*:*:*:*:* (string)

matchCriteriaId : AAD2A68A-8308-4D13-A495-AEFD793861E3 (string)

vulnerable : true (boolean)

}

6 : { »

criteria : cpe:2.3:a:yiiframework:yiiframework:2.0.3:*:*:*:*:*:*:* (string)

matchCriteriaId : 0B9F0C33-E986-4E3F-8048-2C7FFB167E27 (string)

vulnerable : true (boolean)

}

7 : { »

criteria : cpe:2.3:a:yiiframework:yiiframework:2.0.4:*:*:*:*:*:*:* (string)

matchCriteriaId : 38E2AF50-03AA-440B-8F36-4E3FA52A237F (string)

vulnerable : true (boolean)

}

8 : { »

criteria : cpe:2.3:a:yiiframework:yiiframework:2.0.5:*:*:*:*:*:*:* (string)

matchCriteriaId : 88F14CC3-9A9C-48F5-BC06-17AE8E76A8BD (string)

vulnerable : true (boolean)

}

9 : { »

criteria : cpe:2.3:a:yiiframework:yiiframework:2.0.6:*:*:*:*:*:*:* (string)

matchCriteriaId : 8BDED07C-2135-40D5-A6AA-4DC45646250D (string)

vulnerable : true (boolean)

}

10 : { »

criteria : cpe:2.3:a:yiiframework:yiiframework:2.0.7:*:*:*:*:*:*:* (string)

matchCriteriaId : 374488D0-6418-41E9-9061-DFBB1819A350 (string)

vulnerable : true (boolean)

}

11 : { »

criteria : cpe:2.3:a:yiiframework:yiiframework:2.0.8:*:*:*:*:*:*:* (string)

matchCriteriaId : 5DE87E89-2E27-49A7-82DC-4A2EAD4FDF06 (string)

vulnerable : true (boolean)

}

12 : { »

criteria : cpe:2.3:a:yiiframework:yiiframework:2.0.9:*:*:*:*:*:*:* (string)

matchCriteriaId : 12AD2289-7B39-4E8E-9B9F-3D19AD2941B8 (string)

vulnerable : true (boolean)

}

13 : { »

criteria : cpe:2.3:a:yiiframework:yiiframework:2.0.10:*:*:*:*:*:*:* (string)

matchCriteriaId : 2200E2A0-B436-499A-A72A-B23115AE4FF0 (string)

vulnerable : true (boolean)

}

14 : { »

criteria : cpe:2.3:a:yiiframework:yiiframework:2.0.11:*:*:*:*:*:*:* (string)

matchCriteriaId : A68A5D75-444D-47BF-B49D-08E81CE956B6 (string)

vulnerable : true (boolean)

}

15 : { »

criteria : cpe:2.3:a:yiiframework:yiiframework:2.0.11.1:*:*:*:*:*:*:* (string)

matchCriteriaId : 1225414E-4CB3-4A3C-94BD-FA9AA75B778A (string)

vulnerable : true (boolean)

}

16 : { »

criteria : cpe:2.3:a:yiiframework:yiiframework:2.0.11.2:*:*:*:*:*:*:* (string)

matchCriteriaId : EA7F265C-1EAB-4F9A-8D11-9F5CDE9D8F06 (string)

vulnerable : true (boolean)

}

17 : { »

criteria : cpe:2.3:a:yiiframework:yiiframework:2.0.12:*:*:*:*:*:*:* (string)

matchCriteriaId : 7E720459-C4D8-47E6-85C0-A8A1D90D40D9 (string)

vulnerable : true (boolean)

}

18 : { »

criteria : cpe:2.3:a:yiiframework:yiiframework:2.0.13:*:*:*:*:*:*:* (string)

matchCriteriaId : 6EDA0FFC-93DB-494D-B49A-0F2EA5DF7262 (string)

vulnerable : true (boolean)

}

19 : { »

criteria : cpe:2.3:a:yiiframework:yiiframework:2.0.13.1:*:*:*:*:*:*:* (string)

matchCriteriaId : 64C06D97-C4E3-4614-96A9-C5404B27B4EA (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity. (string)

}

1 : { »

lang : es (string)

value : En Yii Framework 2.x en versiones anteriores a la 2.0.14, la función switchIdentity en web/User.php no regeneró el token CSRF tras un cambio de identidad. (string)

}

]

id : CVE-2018-6009 (string)

lastModified : 2024-11-21T04:09:52.810 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : MEDIUM (string)

cvssData : { »

accessComplexity : MEDIUM (string)

accessVector : NETWORK (string)

authentication : NONE (string)

availabilityImpact : PARTIAL (string)

baseScore : 6.8 (number)

confidentialityImpact : PARTIAL (string)

integrityImpact : PARTIAL (string)

vectorString : AV:N/AC:M/Au:N/C:P/I:P/A:P (string)

version : 2.0 (string)

}

exploitabilityScore : 8.6 (number)

impactScore : 6.4 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : true (boolean)

}

]

cvssMetricV30 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : HIGH (string)

baseScore : 8.8 (number)

baseSeverity : HIGH (string)

confidentialityImpact : HIGH (string)

integrityImpact : HIGH (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : REQUIRED (string)

vectorString : CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (string)

version : 3.0 (string)

}

exploitabilityScore : 2.8 (number)

impactScore : 5.9 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2018-01-22T22:29:00.207 (string)

references : [ »

0 : { »

source : cve@mitre.org (string)

tags : [ »

0 : Patch (string)

1 : Third Party Advisory (string)

]

url : https://github.com/yiisoft/yii2/commit/6c0540aa2d6e0fe0fa89e4fd35bba4be5d6cece7 (string)

}

1 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Patch (string)

1 : Third Party Advisory (string)

]

url : https://github.com/yiisoft/yii2/commit/6c0540aa2d6e0fe0fa89e4fd35bba4be5d6cece7 (string)

}

]

sourceIdentifier : cve@mitre.org (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-352 (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object