Vulners
Lucene search
Tuleap 9.6 Second-Order PHP Object Injection Vulnerability
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | Tuleap 9.6 Second-Order PHP Object Injection Exploit | 19 Dec 201700:00 | – | zdt |
 | CVE-2017-7411 | 19 Dec 201700:00 | – | circl |
 | Enalean Tuleap User::getRecentElements() method code execution vulnerability | 11 Dec 201700:00 | – | cnvd |
 | CVE-2017-7411 | 30 Oct 201714:00 | – | cve |
 | CVE-2017-7411 | 30 Oct 201714:00 | – | cvelist |
 | Tuleap 9.6 - Second-Order PHP Object Injection (Metasploit) | 19 Dec 201700:00 | – | exploitdb |
 | Tuleap 9.6 Second-Order PHP Object Injection | 1 Nov 201715:09 | – | metasploit |
 | CVE-2017-7411 | 30 Oct 201714:29 | – | nvd |
 | Tuleap < 9.7 Object Injection Vulnerability | 24 Oct 201700:00 | – | openvas |
 | Tuleap 9.6 Second-Order PHP Object Injection | 19 Dec 201700:00 | – | packetstorm |
10
-------------------------------------------------------------
Tuleap <= 9.6 Second-Order PHP Object Injection Vulnerability
-------------------------------------------------------------
[-] Software Links:
https://www.tuleap.org
https://www.enalean.com
[-] Affected Versions:
All versions from 5.0 to 9.6.
[-] Vulnerability Description:
The vulnerable code can be triggered through the User::getRecentElements() method defined in /src/common/user/User.class.php:
1425. public function getRecentElements() {
1426. if ($recent_elements = $this->getPreference(self::PREFERENCE_RECENT_ELEMENTS)) {
1427. if ($recent_elements = unserialize($recent_elements)) {
1428. if (is_array($recent_elements)) {
1429. return $recent_elements;
1430. }
1431. }
1432. //somthing wrong happen. Delete the preference
1433. $this->delPreference(self::PREFERENCE_RECENT_ELEMENTS);
1434. }
1435. return array();
1436. }
The vulnerability exists because this method is using the unserialize() function with a value that can be arbitrarily manipulated by a user through
the REST API interface. This can be exploited to inject arbitrary PHP objects into the application scope, and could allow authenticated attackers to
execute arbitrary PHP code via specially crafted serialized objects. Successful exploitation of this vulnerability requires an user account with
permissions to create or access artifacts in a tracker.
[-] Solution:
Update to version 9.7 or later.
[-] Disclosure Timeline:
[03/04/2017] - Vendor notified
[03/04/2017] - Vendor acknowledgement
[03/04/2017] - Vendor submitted artifact: https://tuleap.net/plugins/tracker/?aid=10118
[03/04/2017] - CVE number requested
[03/04/2017] - CVE number assigned
[05/04/2017] - Vulnerability fixed on the git repository: https://goo.gl/X2AT4z
[26/04/2017] - Version 9.7 released
[23/10/2017] - Publication of this advisory
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2017-7411 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
# 0day.today [2018-01-08] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Oct 2017 00:00Current
8.7High risk
Vulners AI Score8.7
EPSS0.73892