CVE-2018-8073

Vulnerability

CVE-2018-8073 affects the Redis ActiveRecord implementation in the Yii2-Redis extension (yiisoft/yii2-redis) for Yii Framework versions before 2.0.15 [1][2]. The vulnerability is in the findOne() and findAll() methods of yii\redis\ActiveRecord [1][2]. These methods pass unfiltered user input as filter conditions that may be injected into Lua scripts executed on the Redis server. An attacker can leverage a variant of the SQL injection attack described in CVE-2018-7269, but adapted for Redis [3].

Exploitation

An attacker must be able to pass arbitrary input to the findOne() or findAll() methods on a Redis ActiveRecord model, typically through HTTP request parameters if the application does not validate or sanitize input [1][2]. The attacker crafts a malicious filter condition that, when sent to the Redis server, becomes part of a Lua script. Since Yii uses Lua scripting for some Redis queries, the attacker can inject arbitrary Lua code [2]. The attacker does not need prior authentication to the Redis server if the Yii application exposes these methods to unauthenticated users.

Impact

Successful exploitation allows an attacker to execute arbitrary Lua code within the Redis server's script environment [2]. This can lead to data manipulation, deletion, or extraction of sensitive data stored in Redis, and potentially further compromise of the application if Redis is used for session storage, caching, or other critical functionality [4].

Mitigation

The fix was released in Yii 2.0.15 (March 2018) [1][2]. Users should upgrade to yiisoft/yii2 2.0.15 or later and corresponding yiisoft/yii2-redis extension. As a workaround, applications should ensure that user input passed to findOne() and findAll() is properly filtered and never used directly as conditions. Additionally, the yii\redis\ActiveRecord methods now limit filter conditions to ActiveRecord property columns only, reducing the injection surface [2].