GHSA-64vj-933f-6pm3: 
PHP vulnerability analysis and mitigation

The vulnerability (GHSA-64vj-933f-6pm3) is an object injection vulnerability discovered in the SiteAccessMatchListener component of eZ Platform. The issue was disclosed on May 20, 2020, affecting multiple versions of ezsystems/ezplatform-kernel and ezsystems/ezpublish-kernel packages. The vulnerability impacts all versions from 5.4.0 through 7.5.7.1 of the affected packages (EZ Platform).

The vulnerability is classified as a high-severity object injection flaw in the SiteAccessMatchListener component that could potentially lead to remote code execution (RCE). The initial fix for this vulnerability introduced some bugs, particularly affecting compound siteaccess matchers, which required subsequent patches. The issue has been assigned CWE-94 (Code Injection) classification (GitHub Advisory).

The vulnerability poses a serious security threat as it could enable remote code execution (RCE) on affected systems. All sites running the vulnerable versions of eZ Platform were potentially affected by this security issue (EZ Platform).

The vulnerability has been patched in multiple versions: ezsystems/ezplatform-kernel v1.0.3, ezsystems/ezpublish-kernel v7.5.8, v6.13.6.4, and v5.4.15. Users are strongly advised to upgrade to these patched versions. The security updates are distributed via Composer (EZ Platform).