GHSA-5rwm-2xw8-hh9p

Source

https://github.com/advisories/GHSA-5rwm-2xw8-hh9p

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-5rwm-2xw8-hh9p/GHSA-5rwm-2xw8-hh9p.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5rwm-2xw8-hh9p

Aliases

CVE-2024-1651

Published

2024-02-20T00:30:37Z

Modified

2024-02-21T00:26:45.671641Z

Severity

10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Deserialization of Untrusted Data in Torrentpier

Details

Torrentpier version 2.4.1 allows executing arbitrary commands on the server.

This is possible because the application is vulnerable to insecure deserialization.

Database specific

{
    "nvd_published_at": "2024-02-20T00:15:14Z",
    "cwe_ids": [
        "CWE-502"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-21T00:11:35Z"
}

References

Affected packages

Packagist / torrentpier/torrentpier

Package

Name: torrentpier/torrentpier
Purl: pkg:composer/torrentpier/torrentpier

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

2.4.1

Affected versions

v2.*

v2.2.0

v2.2.1

v2.2.2

v2.2.3

v2.3.0

v2.3.0.1

v2.3.0.2

v2.3.0.3

v2.3.1-rc1

v2.3.1

v2.4.0-alpha1

v2.4.0-alpha2

v2.4.0-alpha3

v2.4.0-alpha4

v2.4.0-beta1

v2.4.0-beta2

v2.4.0-beta3

v2.4.0-beta4

v2.4.0-rc1

v2.4.0-rc2

v2.4.0

v2.4.1

2.*

2.3.0.4-beta

2.3.0.4-beta2