Bref enable serverless PHP on AWS Lambda. When Bref is used with the Event-Driven Function runtime and the handler is a `RequestHandlerInterface`, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is parsed and its content added in the `$files` or `$parsedBody` arrays. The conversion process produces a different output compared to the one of plain PHP when keys ending with and open square bracket ([) are used. Based on the application logic the difference in the body parsing might lead to vulnerabilities and/or undefined behaviors. This vulnerability is patched in 2.1.13.
References
Link | Resource |
---|---|
https://github.com/brefphp/bref/commit/c77d9f5abf021f29fa96b5720b7b84adbd199092 | Patch |
https://github.com/brefphp/bref/security/advisories/GHSA-82vx-mm6r-gg8w | Exploit Vendor Advisory |
Configurations
History
09 Feb 2024, 01:56
Type | Values Removed | Values Added |
---|---|---|
First Time |
Mnapoli bref
Mnapoli |
|
CPE | cpe:2.3:a:mnapoli:bref:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
References | () https://github.com/brefphp/bref/security/advisories/GHSA-82vx-mm6r-gg8w - Exploit, Vendor Advisory | |
References | () https://github.com/brefphp/bref/commit/c77d9f5abf021f29fa96b5720b7b84adbd199092 - Patch |
01 Feb 2024, 21:30
Type | Values Removed | Values Added |
---|---|---|
Summary | Bref enable serverless PHP on AWS Lambda. When Bref is used with the Event-Driven Function runtime and the handler is a `RequestHandlerInterface`, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is parsed and its content added in the `$files` or `$parsedBody` arrays. The conversion process produces a different output compared to the one of plain PHP when keys ending with and open square bracket ([) are used. Based on the application logic the difference in the body parsing might lead to vulnerabilities and/or undefined behaviors. This vulnerability is patched in 2.1.13. | |
References |
|
01 Feb 2024, 16:17
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-02-01 16:17
Updated : 2024-02-28 20:54
NVD link : CVE-2024-24754
Mitre link : CVE-2024-24754
CVE.ORG link : CVE-2024-24754
JSON object : View
Products Affected
mnapoli
- bref
CWE
CWE-436
Interpretation Conflict