CVE-2024-24754

2024-02-0116:17:14

CWE-436

[email protected]

web.nvd.nist.gov

bref

aws lambda

php

event-driven function

vulnerability

patched

nvd

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

32.5%

JSON

Bref enable serverless PHP on AWS Lambda. When Bref is used with the Event-Driven Function runtime and the handler is a RequestHandlerInterface, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is parsed and its content added in the $files or $parsedBody arrays. The conversion process produces a different output compared to the one of plain PHP when keys ending with and open square bracket ([) are used. Based on the application logic the difference in the body parsing might lead to vulnerabilities and/or undefined behaviors. This vulnerability is patched in 2.1.13.

Affected configurations

Vulners

NVD

Node

brefphpbrefRange<2.1.13

CPENameOperatorVersion
mnapoli:brefmnapoli breflt2.1.13

CPE	Name	Operator	Version
mnapoli:bref	mnapoli bref	lt	2.1.13

CNA Affected

[
  {
    "vendor": "brefphp",
    "product": "bref",
    "versions": [
      {
        "version": "< 2.1.13",
        "status": "affected"
      }
    ]
  }
]