GHSA-69wp-xwm7-69wm

Source

https://github.com/advisories/GHSA-69wp-xwm7-69wm

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-69wp-xwm7-69wm/GHSA-69wp-xwm7-69wm.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-69wp-xwm7-69wm

Aliases

CVE-2022-25481

Published

2022-03-22T00:00:43Z

Modified

2024-07-03T21:21:33.786567Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Exposure of Resource to Wrong Sphere in ThinkPHP Framework

Details

ThinkPHP Framework v5.0.24 was discovered to be configured without the PATHINFO parameter. This allows attackers to access all system environment parameters from index.php.

Database specific

{
    "nvd_published_at": "2022-03-21T00:15:00Z",
    "cwe_ids": [
        "CWE-284",
        "CWE-668"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-01T13:50:10Z"
}

References

Affected packages

Packagist / topthink/framework

Package

Name: topthink/framework
Purl: pkg:composer/topthink/framework

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

5.0.24

Affected versions

5.*

5.0-rc1

5.0-rc2

5.0-rc3

5.0-rc4

5.0

v5.*

v5.0.1

v5.0.2

v5.0.3

v5.0.4

v5.0.5

v5.0.6

v5.0.7

v5.0.8

v5.0.9

v5.0.10

v5.0.11

v5.0.12

v5.0.13

v5.0.14

v5.0.15

v5.0.16

v5.0.17

v5.0.18

v5.0.19

v5.0.20

v5.0.21

v5.0.22

v5.0.23

v5.0.24