CVE-2024-24753

Bref enable serverless PHP on AWS Lambda. When Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers. If PHP generates a response with two headers having the same key but different values only the latest one is kept. If an application relies on multiple headers with the same key being set for security reasons, then Bref would lower the application security. For example, if an application sets multiple `Content-Security-Policy` headers, then Bref would just reflect the latest one. This vulnerability is patched in 2.1.13.
Configurations

Configuration 1 (hide)

cpe:2.3:a:mnapoli:bref:*:*:*:*:*:*:*:*

History

09 Feb 2024, 01:46

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.5
First Time Mnapoli bref
Mnapoli
CPE cpe:2.3:a:mnapoli:bref:*:*:*:*:*:*:*:*
References () https://github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r - () https://github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r - Exploit, Vendor Advisory
References () https://github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc - () https://github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc - Patch

01 Feb 2024, 20:50

Type Values Removed Values Added
Summary Bref enable serverless PHP on AWS Lambda. When Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers. If PHP generates a response with two headers having the same key but different values only the latest one is kept. If an application relies on multiple headers with the same key being set for security reasons, then Bref would lower the application security. For example, if an application sets multiple `Content-Security-Policy` headers, then Bref would just reflect the latest one. This vulnerability is patched in 2.1.12. Bref enable serverless PHP on AWS Lambda. When Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers. If PHP generates a response with two headers having the same key but different values only the latest one is kept. If an application relies on multiple headers with the same key being set for security reasons, then Bref would lower the application security. For example, if an application sets multiple `Content-Security-Policy` headers, then Bref would just reflect the latest one. This vulnerability is patched in 2.1.13.
References
  • () https://github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc -

01 Feb 2024, 16:17

Type Values Removed Values Added
New CVE

Information

Published : 2024-02-01 16:17

Updated : 2024-02-28 20:54


NVD link : CVE-2024-24753

Mitre link : CVE-2024-24753

CVE.ORG link : CVE-2024-24753


JSON object : View

Products Affected

mnapoli

  • bref
CWE
CWE-436

Interpretation Conflict