CVE-2023-27372

NameCVE-2023-27372
DescriptionSPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3347-1, DSA-5367-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
spip (PTS)bullseye3.2.11-3+deb11u10fixed
bullseye (security)3.2.11-3+deb11u7fixed
sid, trixie4.3.4+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
spipsourcebuster3.2.4-1+deb10u10DLA-3347-1
spipsourcebullseye3.2.11-3+deb11u7DSA-5367-1
spipsource(unstable)4.1.8+dfsg-1

Notes

https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-2-1-SPIP-4-1-8-SPIP-4-0-10-et.html
https://git.spip.net/spip/spip/commit/5aedf49b89415a4df3eb775eee3801a2b4b88266 (v3.2.18)
https://git.spip.net/spip/spip/commit/96fbeb38711c6706e62457f2b732a652a04a409d (master)
https://blog.spip.net/Mise-a-jour-sortie-de-SPIP-4-2-2-SPIP-4-1-9-SPIP-4-0-11-et-SPIP-3-2-19.html (regression update)
https://git.spip.net/spip/svp/commit/d463bc549b13bc45651051f83760e8ce274c98d9 (SVP, regression fix)

Search for package or bug name: Reporting problems