From 39576073ab05b5fbb701455735e9996cf55a6650 Mon Sep 17 00:00:00 2001 From: DBX12 Date: Mon, 3 Jun 2024 15:41:12 +0200 Subject: [PATCH 1/4] Add CVE-2024-4990 --- yiisoft/yii2/CVE-2024-4990.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 yiisoft/yii2/CVE-2024-4990.yaml diff --git a/yiisoft/yii2/CVE-2024-4990.yaml b/yiisoft/yii2/CVE-2024-4990.yaml new file mode 100644 index 000000000..cef86b313 --- /dev/null +++ b/yiisoft/yii2/CVE-2024-4990.yaml @@ -0,0 +1,8 @@ +title: Unsafe Reflection in base Component class +link: https://github.com/yiisoft/yii2/security/advisories/GHSA-cjcc-p67m-7qxm +cve: CVE-2024-4990 +branches: + 2.0.49.x: + time: null + versions: ['<2.0.49'] +reference: composer://yiisoft/yii2 From f868379dec070a9aa789494fdfb684680c622f30 Mon Sep 17 00:00:00 2001 From: DBX12 Date: Mon, 3 Jun 2024 16:10:54 +0200 Subject: [PATCH 2/4] Correct constraint from < to <= for CVE-2024-4990 --- yiisoft/yii2/CVE-2024-4990.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yiisoft/yii2/CVE-2024-4990.yaml b/yiisoft/yii2/CVE-2024-4990.yaml index cef86b313..979c928ca 100644 --- a/yiisoft/yii2/CVE-2024-4990.yaml +++ b/yiisoft/yii2/CVE-2024-4990.yaml @@ -4,5 +4,5 @@ cve: CVE-2024-4990 branches: 2.0.49.x: time: null - versions: ['<2.0.49'] + versions: ['<=2.0.49'] reference: composer://yiisoft/yii2 From e18ad5f70b80cde3bbf9aab2926386547a18c751 Mon Sep 17 00:00:00 2001 From: DBX12 Date: Mon, 29 Jul 2024 08:34:25 +0200 Subject: [PATCH 3/4] Correct constraint from <=2.0.49 to <2.0.49 for CVE-2024-4990 The security advisory got updated again. --- yiisoft/yii2/CVE-2024-4990.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yiisoft/yii2/CVE-2024-4990.yaml b/yiisoft/yii2/CVE-2024-4990.yaml index 979c928ca..f7564e052 100644 --- a/yiisoft/yii2/CVE-2024-4990.yaml +++ b/yiisoft/yii2/CVE-2024-4990.yaml @@ -4,5 +4,5 @@ cve: CVE-2024-4990 branches: 2.0.49.x: time: null - versions: ['<=2.0.49'] + versions: ['<2.0.49.4'] reference: composer://yiisoft/yii2 From ccdf41d8178085d1cdab254e4be2be2d0f3f7e88 Mon Sep 17 00:00:00 2001 From: DBX12 Date: Mon, 29 Jul 2024 08:35:40 +0200 Subject: [PATCH 4/4] Add timestamp for branch 2.0.49.x for CVE-2024-4990 The vulnerability was fixed with this commit: https://github.com/yiisoft/yii2/commit/62d081f18c3602d09e7d075bba3a0ca5c313f0b4 --- yiisoft/yii2/CVE-2024-4990.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yiisoft/yii2/CVE-2024-4990.yaml b/yiisoft/yii2/CVE-2024-4990.yaml index f7564e052..b0678fa65 100644 --- a/yiisoft/yii2/CVE-2024-4990.yaml +++ b/yiisoft/yii2/CVE-2024-4990.yaml @@ -3,6 +3,6 @@ link: https://github.com/yiisoft/yii2/security/advisories/GHSA-cjcc-p67m-7qxm cve: CVE-2024-4990 branches: 2.0.49.x: - time: null + time: 2024-06-04 16:23:00 versions: ['<2.0.49.4'] reference: composer://yiisoft/yii2