CVE-2024-24754

Bref enable serverless PHP on AWS Lambda. When Bref is used with the Event-Driven Function runtime and the handler is a `RequestHandlerInterface`, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is parsed and its content added in the `$files` or `$parsedBody` arrays. The conversion process produces a different output compared to the one of plain PHP when keys ending with and open square bracket ([) are used. Based on the application logic the difference in the body parsing might lead to vulnerabilities and/or undefined behaviors. This vulnerability is patched in 2.1.13.
Configurations

Configuration 1 (hide)

cpe:2.3:a:mnapoli:bref:*:*:*:*:*:*:*:*

History

09 Feb 2024, 01:56

Type Values Removed Values Added
First Time Mnapoli bref
Mnapoli
CVSS v2 : unknown
v3 : 3.7
v2 : unknown
v3 : 9.8
References () https://github.com/brefphp/bref/commit/c77d9f5abf021f29fa96b5720b7b84adbd199092 - () https://github.com/brefphp/bref/commit/c77d9f5abf021f29fa96b5720b7b84adbd199092 - Patch
References () https://github.com/brefphp/bref/security/advisories/GHSA-82vx-mm6r-gg8w - () https://github.com/brefphp/bref/security/advisories/GHSA-82vx-mm6r-gg8w - Exploit, Vendor Advisory
CPE cpe:2.3:a:mnapoli:bref:*:*:*:*:*:*:*:*

01 Feb 2024, 16:17

Type Values Removed Values Added
New CVE

Information

Published : 2024-02-01 16:17

Updated : 2024-02-09 01:56


NVD link : CVE-2024-24754

Mitre link : CVE-2024-24754

CVE.ORG link : CVE-2024-24754


JSON object : View

Products Affected

mnapoli

  • bref
CWE
CWE-436

Interpretation Conflict