Vulnerability Details : CVE-2017-7411
Public exploit exists!
An issue was discovered in Enalean Tuleap 9.6 and prior versions. The vulnerability exists because the User::getRecentElements() method is using the unserialize() function with a preference value that can be arbitrarily manipulated by malicious users through the REST API interface, and this can be exploited to inject arbitrary PHP objects into the application scope, allowing an attacker to perform a variety of attacks (including but not limited to Remote Code Execution).
Vulnerability category: Execute code
Products affected by CVE-2017-7411
- cpe:2.3:a:enalean:tuleap:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-7411
70.83%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 98 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2017-7411
-
Tuleap 9.6 Second-Order PHP Object Injection
Disclosure Date: 2017-10-23First seen: 2020-04-26exploit/unix/webapp/tuleap_rest_unserialize_execThis module exploits a Second-Order PHP Object Injection vulnerability in Tuleap <= 9.6 which could be abused by authenticated users to execute arbitrary PHP code with the permissions of the webserver. The vulnerability exists because of the User::getRecentElements() method
CVSS scores for CVE-2017-7411
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2017-7411
-
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-7411
-
http://packetstormsecurity.com/files/144716/Tuleap-9.6-Second-Order-PHP-Object-Injection.html
Tuleap 9.6 Second-Order PHP Object Injection ≈ Packet StormIssue Tracking;Third Party Advisory;VDB Entry
-
https://tuleap.net/plugins/tracker/?aid=10118
request #10118 - Requests - TuleapExploit;Issue Tracking;Vendor Advisory
-
https://www.exploit-db.com/exploits/43374/
Tuleap 9.6 - Second-Order PHP Object Injection (Metasploit)
-
http://www.openwall.com/lists/oss-security/2017/10/23/3
oss-security - [KIS-2017-02] Tuleap <= 9.6 Second-Order PHP Object Injection VulnerabilityIssue Tracking;Mailing List;Third Party Advisory
-
http://seclists.org/fulldisclosure/2017/Oct/53
Full Disclosure: [KIS-2017-02] Tuleap <= 9.6 Second-Order PHP Object Injection VulnerabilityIssue Tracking;Mailing List;Third Party Advisory
-
http://karmainsecurity.com/KIS-2017-02
Tuleap <= 9.6 Second-Order PHP Object Injection Vulnerability | Karma(In)SecurityIssue Tracking;Third Party Advisory
Jump to