43 matches found
EUVD-2024-0944
Malicious code in bioql PyPI...
EUVD-2024-0566
Malicious code in bioql PyPI...
EUVD-2024-0590
Malicious code in bioql PyPI...
CVE-2024-24753
Bref enable serverless PHP on AWS Lambda. When Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers. If PHP generates a response with two headers having the same key but different values only the latest one is kept. If an application relie...
CVE-2024-29186
Bref is an open-source project that helps users go serverless on Amazon Web Services with PHP. When Bref prior to version 2.1.17 is used with the Event-Driven Function runtime and the handler is a RequestHandlerInterface, then the Lambda event is converted to a PSR7 object. During the conversion...
CVE-2024-24754
Bref enable serverless PHP on AWS Lambda. When Bref is used with the Event-Driven Function runtime and the handler is a RequestHandlerInterface, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is parsed and its content...
CVE-2024-24752
Bref enable serverless PHP on AWS Lambda. When Bref is used with the Event-Driven Function runtime and the handler is a RequestHandlerInterface, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is parsed and for each whic...
Serverless Billing Attack
bref/bref is vulnerable to Serverless Billing Attack. The vulnerability is due to slow multi-byte string operations performed on the Content-Type header values in the Riverline/multipart-parser library used by Bref. It allows an attacker to send specially crafted requests, causing long operations...
CVE-2024-29186
CVE-2024-29186 affects Bref prior to 2.1.17. During Event-Driven Function runtime handling with a RequestHandlerInterface, Bref converts Lambda events to PSR-7 objects and parses multipart headers. The Riverline/multipart-parser’s StreamedPart::parseHeaderContent performs slow multi-byte header s...
CVE-2024-29186 Slow String Operations via MultiPart Requests in Event-Driven Functions
Bref is an open-source project that helps users go serverless on Amazon Web Services with PHP. When Bref prior to version 2.1.17 is used with the Event-Driven Function runtime and the handler is a RequestHandlerInterface, then the Lambda event is converted to a PSR7 object. During the conversion...
CVE-2024-29186 Slow String Operations via MultiPart Requests in Event-Driven Functions
Bref is an open-source project that helps users go serverless on Amazon Web Services with PHP. When Bref prior to version 2.1.17 is used with the Event-Driven Function runtime and the handler is a RequestHandlerInterface, then the Lambda event is converted to a PSR7 object. During the conversion...
CVE-2024-29186 Slow String Operations via MultiPart Requests in Event-Driven Functions
Bref is an open-source project that helps users go serverless on Amazon Web Services with PHP. When Bref prior to version 2.1.17 is used with the Event-Driven Function runtime and the handler is a RequestHandlerInterface, then the Lambda event is converted to a PSR7 object. During the conversion...
GHSA-J4HQ-F63X-F39R Slow String Operations via MultiPart Requests in Event-Driven Functions
Impacted Resources bref/src/Event/Http/Psr7Bridge.php:94-125 multipart-parser/src/StreamedPart.php:383-418 Description When Bref is used with the Event-Driven Function runtime and the handler is a RequestHandlerInterface, then the Lambda event is converted to a PSR7 object. During the conversion...
Slow String Operations via MultiPart Requests in Event-Driven Functions
Impacted Resources bref/src/Event/Http/Psr7Bridge.php:94-125 multipart-parser/src/StreamedPart.php:383-418 Description When Bref is used with the Event-Driven Function runtime and the handler is a RequestHandlerInterface, then the Lambda event is converted to a PSR7 object. During the conversion...
PT-2024-22791 · Unknown +2 · Riverline/Multipart-Parser +2
Name of the Vulnerable Software and Affected Versions: Bref versions prior to 2.1.17 Description: The issue arises when Bref is used with the Event-Driven Function runtime and the handler is a RequestHandlerInterface. During the conversion of a Lambda event to a PSR7 object, if the request is a...
Bref 安全漏洞
Bref is an open source project by Matthieu Napoli Individual Developer that helps you go serverless on AWS using PHP. A security vulnerability exists in versions prior to Bref 2.1.17, which stems from the fact that an attacker can send specially designed requests that force the server to perform...
Denial Of Service (DoS)
Bref is vulnerable to Denial Of Service DoS. The vulnerability is due to improper clean up of temporary files after processing a MultiPart requests when the Event-Driven Function runtime is utilized and the handler is a RequestHandlerInterface. This allows an attacker to fill the Lambda instance...
Bref vulnerable to Body Parsing Inconsistency in Event-Driven Functions
Impacted Resources bref/src/Event/Http/Psr7Bridge.php:130-168 Description When Bref is used with the Event-Driven Function runtime and the handler is a RequestHandlerInterface, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each...
GHSA-82VX-MM6R-GG8W Bref vulnerable to Body Parsing Inconsistency in Event-Driven Functions
Impacted Resources bref/src/Event/Http/Psr7Bridge.php:130-168 Description When Bref is used with the Event-Driven Function runtime and the handler is a RequestHandlerInterface, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each...
GHSA-99F9-GV72-FW9R Bref Doesn't Support Multiple Value Headers in ApiGatewayFormatV2
Impacted Resources bref/src/Event/Http/HttpResponse.php:61-90 Description When Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers. Precisely, if PHP generates a response with two headers having the same key but different values only the...