CVE-2018-8074
Description
Yii 2.x before 2.0.15 allows remote attackers to inject unintended search conditions via a variant of the CVE-2018-7269 attack in conjunction with the Elasticsearch extension.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Yii 2.x before 2.0.15 Elasticsearch extension allows attackers to inject unintended search conditions via ActiveRecord shortcut methods.
Vulnerability
CVE-2018-8074 affects the yii\elasticsearch\ActiveRecord::findOne() and yii\elasticsearch\ActiveRecord::findAll() methods in the yiisoft/yii2-elasticsearch extension for Yii 2.x versions before 2.0.15 [1][2]. The issue arises because these shortcut methods do not properly validate or prepare user-supplied input, allowing an attacker to manipulate the constructed search query. The vulnerability is a variant of the CVE-2018-7269 SQL injection issue but targets the Elasticsearch extension.
Exploitation
An attacker can exploit this vulnerability by providing crafted user input to an application that uses the affected findOne() or findAll() methods without sanitizing the input first [1][2]. No special network position or authentication is required beyond the application's normal access level. The attacker injects unintended search conditions, modifying the query sent to Elasticsearch.
Impact
Successful exploitation allows an attacker to inject different search conditions than intended, potentially retrieving unauthorized data or causing error responses from the Elasticsearch server [1][2]. The impact is primarily information disclosure and potential denial of service through malformed queries.
Mitigation
Yii released version 2.0.15 on March 21, 2018, which fixes this vulnerability by limiting findOne() and findAll() to filter only on columns that are ActiveRecord properties [1][2]. Users should upgrade to yiisoft/yii2-elasticsearch version compatible with Yii 2.0.15 or later. Application code review is also recommended to ensure user input is properly validated before being passed to these methods [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
yiisoft/yii2-devPackagist | >= 2.0.0, < 2.0.15 | 2.0.15 |
yiisoft/yii2-elasticsearchPackagist | < 2.0.5 | 2.0.5 |
Affected products
3- ghsa-coords2 versions
>= 2.0.0, < 2.0.15+ 1 more
- (no CPE)range: >= 2.0.0, < 2.0.15
- (no CPE)range: < 2.0.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-m2p5-fwp2-qcw2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-8074ghsaADVISORY
- www.yiiframework.com/news/168/releasing-yii-2-0-15-and-database-extensions-with-security-fixesghsaWEB
- www.yiiframework.com/news/168/releasing-yii-2-0-15-and-database-extensions-with-security-fixes/mitrex_refsource_CONFIRM
- github.com/FriendsOfPHP/security-advisories/blob/master/yiisoft/yii2-elasticsearch/CVE-2018-8074.yamlghsaWEB
- www.yiiframework.com/news/168/releasing-yii-2-0-15-and-database-extensions-with-security-fixesghsaWEB
News mentions
0No linked articles in our index yet.