GHSA-2w9p-xxqr-h253: 
PHP vulnerability analysis and mitigation

The vulnerability (GHSA-2w9p-xxqr-h253) is an object injection vulnerability discovered in the SiteAccessMatchListener component of eZ Platform. The issue was disclosed on May 20, 2020, affecting ezsystems/ezplatform-kernel versions 1.0.0 to 1.0.2.1. This high-severity vulnerability impacts all sites running the affected versions of eZ Platform (EZ Platform).

The vulnerability exists in the SiteAccessMatchListener component and could potentially lead to remote code execution (RCE). The initial fix introduced some bugs, particularly affecting compound siteaccess matchers, which required subsequent patches. The issue was resolved in ezsystems/ezplatform-kernel v1.0.3, and corresponding fixes were also released for ezpublish-kernel in versions v7.5.8, v6.13.6.4, and v5.4.15 (GitHub Advisory).

The vulnerability is classified as high severity and could lead to remote code execution (RCE), which represents a very serious threat to affected systems. The impact potentially affects all sites running the vulnerable versions of the software (EZ Platform).

The vulnerability has been patched in ezsystems/ezplatform-kernel version 1.0.3. Users should upgrade to the following fixed versions: ezsystems/ezplatform-kernel v1.0.3, ezsystems/ezpublish-kernel v7.5.8, v6.13.6.4, or v5.4.15. The security update is distributed via Composer (GitHub Advisory).

The vulnerability was responsibly disclosed by Serhey Dolgushev from Contextual Code, demonstrating effective collaboration between security researchers and the software maintainers (EZ Platform).