CVE-2017-9841

PHPUnit Command Injection Vulnerability

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

*SSVC

Descriptions

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.

Util/PHP/eval-stdin.php en PHPUnit, en versiones anteriores a la 4.8.28 y en versiones 5.x anteriores a la 5.6.3, permite que atacantes remotos ejecuten código PHP arbitrario mediante datos HTTP POST que comienzan por una subcadena "

PHPUnit allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-06-24 CVE Reserved
2017-06-27 CVE Published
2020-01-10 First Exploit
2022-02-15 Exploited in Wild
2022-08-15 KEV Due Date
2024-07-09 EPSS Updated
2024-08-05 CVE Updated

CWE

CWE-94: Improper Control of Generation of Code ('Code Injection')

CAPEC

References (16)

URL	Tag	Source
http://web.archive.org/web/20170701212357/http://phpunit.vulnbusters.com	Third Party Advisory
http://www.securityfocus.com/bid/101798	Broken Link
http://www.securitytracker.com/id/1039812	Broken Link

URL	Date	SRC
https://www.exploit-db.com/exploits/50702	2022-02-02
https://github.com/akr3ch/CVE-2017-9841	2022-08-19
https://github.com/Chocapikk/CVE-2017-9841	2023-08-27
https://github.com/MrG3P5/CVE-2017-9841	2024-02-15
https://github.com/mbrasile/CVE-2017-9841	2020-01-10
https://github.com/p1ckzi/CVE-2017-9841	2022-06-30
https://github.com/jax7sec/CVE-2017-9841	2022-04-22
https://github.com/Jhonsonwannaa/CVE-2017-9841-	2022-11-21
https://github.com/cyberharsh/Php-unit-CVE-2017-9841	2020-06-24

URL	Date	SRC
https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5	2022-04-18
https://github.com/sebastianbergmann/phpunit/pull/1956	2022-04-18
https://www.oracle.com/security-alerts/cpuoct2021.html	2022-04-18

URL	Date	SRC
https://security.gentoo.org/glsa/201711-15	2022-04-18

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Phpunit Project Search vendor "Phpunit Project"		Phpunit Search vendor "Phpunit Project" for product "Phpunit"				<= 4.8.27 Search vendor "Phpunit Project" for product "Phpunit" and version " <= 4.8.27"		-		Affected
Phpunit Project Search vendor "Phpunit Project"		Phpunit Search vendor "Phpunit Project" for product "Phpunit"				>= 5.0.0 < 5.6.3 Search vendor "Phpunit Project" for product "Phpunit" and version " >= 5.0.0 < 5.6.3"		-		Affected
Oracle Search vendor "Oracle"		Communications Diameter Signaling Router Search vendor "Oracle" for product "Communications Diameter Signaling Router"				>= 8.0.0 <= 8.5.0 Search vendor "Oracle" for product "Communications Diameter Signaling Router" and version " >= 8.0.0 <= 8.5.0"		-		Affected