CVE-2017-9841

NameCVE-2017-9841
DescriptionUtil/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs866200

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
phpunit (PTS)buster7.5.6-1fixed
bullseye9.5.2-1fixed
bookworm9.6.7-1fixed
sid, trixie9.6.18-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
phpunitsourcewheezy(not affected)
phpunitsourcejessie(not affected)
phpunitsourcestretch5.4.6-2~deb9u1
phpunitsource(unstable)5.4.6-2866200

Notes

[jessie] - phpunit <not-affected> (Issue introduced later; vulnerable code not present)
[wheezy] - phpunit <not-affected> (Issue introduced later; vulnerable code not present)
https://github.com/sebastianbergmann/phpunit/pull/1956
https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5
http://phpunit.vulnbusters.com/

Search for package or bug name: Reporting problems