Skip to content

Unsafe sample code in zendesk_api_client_php

Low
mattkennedy-zendesk published GHSA-hj43-j2p2-q37m Feb 2, 2022

Package

oauth.php (PHP)

Affected versions

N/A

Patched versions

N/A

Description

About this advisory

As reported in issue #464, In our sample code for the oAuth implementation of our PHP client (zendesk_api_client_php/samples/auth/oauth.php), we have demonstrated an unsafe use of the unserialize function, which if used could lead to deserialzation attacks.

Impact

This unsafe function is not actively used in the library and does not expose users to any risk. However, we acknowledge that demonstrating the use of this function could result in developers re-using this in their code.

Fix

We have removed the code sample from this repository, to prevent accidental reuse of the code.

Next steps

If you are using the oAuth features of this library, we recommend you confirm you are not using the unserialize function on user supplied input as per the recommendation from PHP.

References

OWASP guide to PHP object injection
PHP documentation for the unserialize function

For more information

If you have any questions or comments about this advisory, email us at Zendesk Security

We also invite security researchers to report issues to us using our Bug Bounty program, where we reward them for helping make our product safer.

Severity

Low

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N

CVE ID

No known CVE

Credits