CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 2CVE-2023-41330 – Unsafe deserialization in knplabs/knp-snappy
https://notcve.org/view.php?id=CVE-2023-41330
knplabs/knp-snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. ## Issue On March 17th the vulnerability CVE-2023-28115 was disclosed, allowing an attacker to gain remote code execution through PHAR deserialization. Version 1.4.2 added a check `if (\strpos($filename, 'phar://') === 0)` in the `prepareOutput` function to resolve this CVE, however if the user is able to control the second parameter of the `generateFromHtml()` function of Snappy, it will then be passed as the `$filename` parameter in the `prepareOutput()` function. In the original vulnerability, a file name with a `phar://` wrapper could be sent to the `fileExists()` function, equivalent to the `file_exists()` PHP function. This allowed users to trigger a deserialization on arbitrary PHAR files. To fix this issue, the string is now passed to the `strpos()` function and if it starts with `phar://`, an exception is raised. • https://github.com/KnpLabs/snappy/commit/d3b742d61a68bf93866032c2c0a7f1486128b67e https://github.com/KnpLabs/snappy/security/advisories/GHSA-92rv-4j2h-8mjj https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 1CVE-2023-28115 – Snappy vulnerable to PHAR deserialization, allowing remote code execution
https://notcve.org/view.php?id=CVE-2023-28115
Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.4.2, Snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If a user can control the output file from the `generateFromHtml()` function, it will invoke deserialization. • https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670 https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6 https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3 https://github.com/KnpLabs/snappy/pull/469 https://github.com/KnpLabs/snappy/releases/tag/v1.4.2 https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2018-7577
https://notcve.org/view.php?id=CVE-2018-7577
Memcpy parameter overlap in Google Snappy library 1.1.4, as used in Google TensorFlow before 1.7.1, could result in a crash or read from other parts of process memory. La superposición de parámetros de Memcpy en la libreria Google Snappy versión 1.1.4, tal y como se utilizaba en Google TensorFlow en las versiones anteriores a la 1.7.1, puede provocar un cierre inesperado o una lectura de otras partes de la memoria de proceso. • https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2018-005.md • CWE-20: Improper Input Validation •