Source: civicrm X-Debbugs-CC: [email protected] Severity: important Tags: security
Hi, The following vulnerability was published for snappy, which is bundled by civicrm: CVE-2023-28115[0]: | Snappy is a PHP library allowing thumbnail, snapshot or PDF generation | from a url or a html page. Prior to version 1.4.2, Snappy is | vulnerable to PHAR deserialization due to a lack of checking on the | protocol before passing it into the `file_exists()` function. If an | attacker can upload files of any type to the server he can pass in the | phar:// protocol to unserialize the uploaded file and instantiate | arbitrary PHP objects. This can lead to remote code execution | especially when snappy is used with frameworks with documented POP | chains like Laravel/Symfony vulnerable developer code. If a user can | control the output file from the `generateFromHtml()` function, it | will invoke deserialization. This vulnerability is capable of remote | code execution if Snappy is used with frameworks or developer code | with vulnerable POP chains. It has been fixed in version 1.4.2. https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc https://github.com/KnpLabs/snappy/pull/469 https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6 (v1.4.2) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-28115 https://www.cve.org/CVERecord?id=CVE-2023-28115 Please adjust the affected versions in the BTS as needed.
