CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2017-9841

CVSS 9.8v3.1pub. 2017-06-27upd. 2026-04-21

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Oracle Communications Diameter Signaling Router

    APP
    Oracle
    8.0.0 – 8.5.0
  • Phpunit Project Phpunit

    APP
    Phpunit Project
    ≤ 4.8.275.0.0 – 5.6.3 (bez)

CISA KEV — detailsi

Vendori
PHPUnit
Producti
PHPUnit
Added to KEVi
February 15, 2022
Remediation deadline (US Federal)i
August 15, 2022(overdue)
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

PHPUnit allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 15 sierpnia 2022
CWE
References

Related vulnerabilities

CVE-2020-2555CRITICAL9.8⚠ KEVten sam produkt

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invoc...

CVE-2021-21783CRITICAL9.8ten sam produkt

A code execution vulnerability exists in the WS-Addressing plugin functionality of Genivia gSOAP 2.8.107. A sp...

CVE-2020-11998CRITICAL9.8ten sam produkt

A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to ...

CVE-2020-11973CRITICAL9.8ten sam produkt

Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0...

CVE-2020-11972CRITICAL9.8ten sam produkt

Apache Camel RabbitMQ enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3....