CVE-2024-29186

{"id": "CVE-2024-29186", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2024-03-22T17:15:08.640", "references": [{"url": "https://github.com/brefphp/bref/commit/5f7c0294628dbcec6305f638ff7e2dba8a1c2f45", "source": "security-advisories@github.com"}, {"url": "https://github.com/brefphp/bref/security/advisories/GHSA-j4hq-f63x-f39r", "source": "security-advisories@github.com"}, {"url": "https://github.com/brefphp/bref/commit/5f7c0294628dbcec6305f638ff7e2dba8a1c2f45", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/brefphp/bref/security/advisories/GHSA-j4hq-f63x-f39r", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-400"}]}], "descriptions": [{"lang": "en", "value": "Bref is an open-source project that helps users go serverless on Amazon Web Services with PHP. When Bref prior to version 2.1.17 is used with the Event-Driven Function runtime and the handler is a `RequestHandlerInterface`, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is parsed. In the parsing process, the `Content-Type` header of each part is read using the `Riverline/multipart-parser` library.\n\nThe library, in the `StreamedPart::parseHeaderContent` function, performs slow multi-byte string operations on the header value.\nPrecisely, the `mb_convert_encoding` function is used with the first (`$string`) and third (`$from_encoding`) parameters read from the header value.\n\nAn attacker could send specifically crafted requests which would force the server into performing long operations with a consequent long billed duration.\n\nThe attack has the following requirements and limitations: The Lambda should use the Event-Driven Function runtime and the `RequestHandlerInterface` handler and should implement at least an endpoint accepting POST requests; the attacker can send requests up to 6MB long (this is enough to cause a billed duration between 400ms and 500ms with the default 1024MB RAM Lambda image of Bref); and if the Lambda uses a PHP runtime <= php-82, the impact is higher as the billed duration in the default 1024MB RAM Lambda image of Bref could be brought to more than 900ms for each request. Notice that the vulnerability applies only to headers read from the request body as the request header has a limitation which allows a total maximum size of ~10KB.\n\nVersion 2.1.17 contains a fix for this issue."}, {"lang": "es", "value": "Bref es un proyecto de c\u00f3digo abierto que ayuda a los usuarios a utilizar PHP sin servidor en Amazon Web Services. Cuando se usa Bref anterior a la versi\u00f3n 2.1.17 con el tiempo de ejecuci\u00f3n de la funci\u00f3n controlada por eventos y el controlador es \"RequestHandlerInterface\", el evento Lambda se convierte en un objeto PSR7. Durante el proceso de conversi\u00f3n, si la solicitud es MultiPart, se analiza cada parte. En el proceso de an\u00e1lisis, el encabezado `Content-Type` de cada parte se lee usando la librer\u00eda `Riverline/multipart-parser`. La librer\u00eda, en la funci\u00f3n `StreamedPart::parseHeaderContent`, realiza operaciones lentas de cadenas multibyte en el valor del encabezado. Precisamente, la funci\u00f3n `mb_convert_encoding` se utiliza con el primer (`$string`) y el tercer par\u00e1metro (`$from_encoding`) le\u00eddos del valor del encabezado. Un atacante podr\u00eda enviar solicitudes espec\u00edficamente manipuladas que obligar\u00edan al servidor a realizar operaciones prolongadas con la consiguiente larga duraci\u00f3n facturada. El ataque tiene los siguientes requisitos y limitaciones: Lambda debe usar el tiempo de ejecuci\u00f3n de la funci\u00f3n controlada por eventos y el controlador `RequestHandlerInterface` y debe implementar al menos un endpoint que acepte solicitudes POST; el atacante puede enviar solicitudes de hasta 6 MB de longitud (esto es suficiente para provocar una duraci\u00f3n facturada de entre 400 ms y 500 ms con la imagen Lambda de RAM predeterminada de Bref de 1024 MB); y si Lambda usa un tiempo de ejecuci\u00f3n PHP &lt;= php-82, el impacto es mayor ya que la duraci\u00f3n facturada en la imagen Lambda de RAM predeterminada de Bref de 1024 MB podr\u00eda aumentar a m\u00e1s de 900 ms para cada solicitud. Tenga en cuenta que la vulnerabilidad se aplica solo a los encabezados le\u00eddos del cuerpo de la solicitud, ya que el encabezado de la solicitud tiene una limitaci\u00f3n que permite un tama\u00f1o m\u00e1ximo total de ~10 KB. La versi\u00f3n 2.1.17 contiene una soluci\u00f3n para este problema."}], "lastModified": "2024-11-21T09:07:45.250", "sourceIdentifier": "security-advisories@github.com"}