CVE-2023-27372

NameCVE-2023-27372
DescriptionSPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3347-1, DSA-5367-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
spip (PTS)buster3.2.4-1+deb10u9vulnerable
buster (security)3.2.4-1+deb10u12fixed
bullseye3.2.11-3+deb11u10fixed
bullseye (security)3.2.11-3+deb11u7fixed
bookworm4.1.9+dfsg-1+deb12u4fixed
sid, trixie4.1.15+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
spipsourcebuster3.2.4-1+deb10u10DLA-3347-1
spipsourcebullseye3.2.11-3+deb11u7DSA-5367-1
spipsource(unstable)4.1.8+dfsg-1

Notes

https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-2-1-SPIP-4-1-8-SPIP-4-0-10-et.html
https://git.spip.net/spip/spip/commit/5aedf49b89415a4df3eb775eee3801a2b4b88266 (v3.2.18)
https://git.spip.net/spip/spip/commit/96fbeb38711c6706e62457f2b732a652a04a409d (master)
https://blog.spip.net/Mise-a-jour-sortie-de-SPIP-4-2-2-SPIP-4-1-9-SPIP-4-0-11-et-SPIP-3-2-19.html (regression update)
https://git.spip.net/spip/svp/commit/d463bc549b13bc45651051f83760e8ce274c98d9 (SVP, regression fix)

Search for package or bug name: Reporting problems