Vulnerability Details : CVE-2017-9841
Public exploit exists!
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.
Products affected by CVE-2017-9841
- Oracle » Communications Diameter Signaling RouterVersions from including (>=) 8.0.0 and up to, including, (<=) 8.5.0cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*
- cpe:2.3:a:phpunit_project:phpunit:*:*:*:*:*:*:*:*
- cpe:2.3:a:phpunit_project:phpunit:*:*:*:*:*:*:*:*
CVE-2017-9841 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
PHPUnit Command Injection Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
PHPUnit allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.
Notes:
https://nvd.nist.gov/vuln/detail/CVE-2017-9841
Added on
2022-02-15
Action due date
2022-08-15
Exploit prediction scoring system (EPSS) score for CVE-2017-9841
94.41%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-9841
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2025-02-07 |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2017-9841
-
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2017-9841
-
https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5
Correct fix for #1956 · sebastianbergmann/phpunit@284a69f · GitHubPatch;Third Party Advisory
-
http://www.securitytracker.com/id/1039812
MediaWiki Multiple Flaws Let Remote Users Modify Data, Obtain Potentially Sensitive Information, and Conduct Cross-Site Scripting Attacks and Let Local Users Obtain Passwords - SecurityTrackerBroken Link
-
https://security.gentoo.org/glsa/201711-15
PHPUnit: Remote code execution (GLSA 201711-15) — Gentoo securityThird Party Advisory
-
http://www.securityfocus.com/bid/101798
PHPUnit CVE-2017-9841 Arbitrary Code Execution VulnerabilityBroken Link
-
https://www.oracle.com/security-alerts/cpuoct2021.html
Oracle Critical Patch Update Advisory - October 2021Patch;Third Party Advisory
-
http://web.archive.org/web/20170701212357/http://phpunit.vulnbusters.com/
CVE-2017-9841 RCE vulnerability in phpunitThird Party Advisory
-
https://github.com/sebastianbergmann/phpunit/pull/1956
Fix insulated tests with phpdbg by nicolas-grekas · Pull Request #1956 · sebastianbergmann/phpunit · GitHubPatch;Third Party Advisory
Jump to