CVE-2024-24754

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-24754

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-24754.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-24754

Aliases

GHSA-82vx-mm6r-gg8w

Published

2024-02-01T16:17:14Z

Modified

2024-05-14T13:09:41.280909Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Bref enable serverless PHP on AWS Lambda. When Bref is used with the Event-Driven Function runtime and the handler is a RequestHandlerInterface, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is parsed and its content added in the $files or $parsedBody arrays. The conversion process produces a different output compared to the one of plain PHP when keys ending with and open square bracket ([) are used. Based on the application logic the difference in the body parsing might lead to vulnerabilities and/or undefined behaviors. This vulnerability is patched in 2.1.13.

References

Affected packages

Git / github.com/brefphp/bref

Affected ranges

Type: GIT
Repo: https://github.com/brefphp/bref
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

c77d9f5abf021f29fa96b5720b7b84adbd199092

Affected versions

0.*

0.1.0

0.2.0

0.2.1

0.2.10

0.2.11

0.2.12

0.2.13

0.2.14

0.2.15

0.2.16

0.2.17

0.2.18

0.2.19

0.2.2

0.2.20

0.2.21

0.2.22

0.2.23

0.2.24

0.2.25

0.2.26

0.2.27

0.2.28

0.2.29

0.2.3

0.2.30

0.2.31

0.2.32

0.2.33

0.2.34

0.2.35

0.2.36

0.2.37

0.2.4

0.2.5

0.2.6

0.2.7

0.2.8

0.2.9

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.3.6

0.3.7

0.3.8

0.3.9

0.4.0

0.4.1

0.5.0

0.5.0-beta1

0.5.1

0.5.10

0.5.11

0.5.12

0.5.13

0.5.14

0.5.14-beta1

0.5.14-beta2

0.5.15

0.5.16

0.5.17

0.5.18

0.5.19

0.5.2

0.5.20

0.5.21

0.5.22

0.5.23

0.5.24

0.5.25

0.5.26

0.5.27

0.5.28

0.5.29

0.5.3

0.5.30

0.5.31

0.5.32

0.5.33

0.5.4

0.5.5

0.5.6

0.5.6-beta1

0.5.7

0.5.8

0.5.9

1.*

1.0.0

1.0.0-beta1

1.0.0-beta2

1.0.1

1.0.2

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.2.0

1.2.1

1.2.10

1.2.11

1.2.12

1.2.13

1.2.14

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.2.7

1.2.8

1.2.9

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

1.4.0

1.4.1

1.4.2

1.5.0

1.5.1

1.5.2

1.5.3

1.5.4

1.5.5

1.5.6

1.5.7

1.5.8

1.6.0

1.7.0

1.7.1

1.7.10

1.7.11

1.7.12

1.7.13

1.7.14

1.7.15

1.7.16

1.7.17

1.7.18

1.7.19

1.7.2

1.7.20

1.7.21

1.7.22

1.7.23

1.7.24

1.7.3

1.7.4

1.7.5

1.7.6

1.7.7

1.7.8

1.7.9

2.*

2.0.0

2.0.0-beta1

2.0.0-beta10

2.0.0-beta11

2.0.0-beta12

2.0.0-beta13

2.0.0-beta14

2.0.0-beta15

2.0.0-beta16

2.0.0-beta17

2.0.0-beta2

2.0.0-beta3

2.0.0-beta4

2.0.0-beta5

2.0.0-beta6

2.0.0-beta7

2.0.0-beta8

2.0.0-beta9

2.0.1

2.0.10

2.0.11

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.1.0

2.1.1

2.1.10

2.1.11

2.1.12

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.8

2.1.9