6.5

CVE-2024-24753

Exploit

EPSS 0.19%
Veröffentlicht 01.02.2024 16:17:14
Zuletzt bearbeitet 21.11.2024 08:59:37
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Bref enable serverless PHP on AWS Lambda. When Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers. If PHP generates a response with two headers having the same key but different values only the latest one is kept. If an application relies on multiple headers with the same key being set for security reasons, then Bref would lower the application security. For example, if an application sets multiple `Content-Security-Policy` headers, then Bref would just reflect the latest one. This vulnerability is patched in 2.1.13.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Mnapoli ≫ Bref Version < 2.1.13

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.19%	0.412

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	3.9	2.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
security-advisories@github.com	4.8	2.2	2.5	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE-436 Interpretation Conflict

Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

https://github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc

Patch

https://github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-24753

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-24753

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-24753

EUVD