| Name | CVE-2024-7954 |
| Description | The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| spip (PTS) | bullseye | 3.2.11-3+deb11u10 | fixed |
| bullseye (security) | 3.2.11-3+deb11u7 | fixed | |
| trixie | 4.3.5+dfsg-1 | fixed | |
| sid | 4.3.6+dfsg-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| spip | source | bullseye | (not affected) | |||
| spip | source | (unstable) | 4.3.0+dfsg-1 |
[bullseye] - spip <not-affected> (Vulnerable code not present in 3.x)
https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-0-alpha2-SPIP-4-2-13-SPIP-4.html
https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_1_the_feather/
https://git.spip.net/spip/porte-plume/-/commit/e1e5a20f26beb3c1764bdccbbae634fc22468969 (porte_plume v3.1.6) (shipped in spip 4.2.13 and 4.3.0-alpha2)
https://git.spip.net/spip/porte-plume/-/commit/e8146a3d74808b21993df5525be70d7ce76ba881 (porte_plume v3.1.6) (shipped in spip 4.2.13 and 4.3.0-alpha2)
Introduced by https://git.spip.net/spip/porte-plume/-/commit/8015469c51adbc09395f7aa3450fa96abd35033f (porte_plume v3.1.4) (shipped in spip 4.2.5 and 4.3)