CVE-2017-9841

CRITICAL CISA KEV EPSS 100.0%
Published Jun 27, 20179y ago · Modified Jun 17, 20262w ago
9.8 CVSS 3.1
Critical
Find Similar
Published Jun 27, 2017 9y ago
Last Modified Jun 17, 2026 2w ago
KEV Listed Feb 15, 2022 4y ago
KEV Due Aug 15, 2022 1417d overdue

Description

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.

CVSS Details

Base Score
9.8
Exploitability
3.9
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

CISA Known Exploited Overdue 1417d
Added
Feb 15, 2022
Due
Aug 15, 2022

Apply updates per vendor instructions.

EPSS Exploit Probability
100.0% percentile
Exploit & Patch Status
Actively Exploited (KEV)
Patch Available

Weaknesses 1

CWE-94 Improper Control of Generation of Code (Code Injection) Injection

Affected Products 3

VendorProductVersionRange
phpunit_projectphpunit* ≤4.8.27
phpunit_projectphpunit*≥5.0.0  –  <5.6.3
oraclecommunications_diameter_signaling_router*≥8.0.0  –  ≤8.5.0

References 8

  • web.archive.org http://web.archive.org/web/20170701212357/http://phpunit.vulnbusters.com/
    Third Party Advisory
  • securityfocus.com http://www.securityfocus.com/bid/101798
    Broken Link
  • securitytracker.com http://www.securitytracker.com/id/1039812
    Broken Link
  • github.com https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5
    PatchThird Party Advisory
  • github.com https://github.com/sebastianbergmann/phpunit/pull/1956
    PatchThird Party Advisory
  • security.gentoo.org https://security.gentoo.org/glsa/201711-15
    Third Party Advisory
  • cisa.gov https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-9841
    US Government Resource
  • oracle.com https://www.oracle.com/security-alerts/cpuoct2021.html
    PatchThird Party Advisory

Remediation

  • github.com https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5
    PatchThird Party Advisory
  • github.com https://github.com/sebastianbergmann/phpunit/pull/1956
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpuoct2021.html
    PatchThird Party Advisory