CVE-2017-9841

high-risk
Published 2017-06-27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.

Do I need to act?

!
94.2% chance of exploitation in next 30 days
EPSS score — higher than 6% of all CVEs
!
CISA KEV: actively exploited in the wild
On the Known Exploited Vulnerabilities catalog — federal agencies must patch
!
1 public exploit available
50702
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (2)

Affected Vendors

Oracle Phpunit Project

References (15)

Third Party Advisory http://web.archive.org/web/20170701212357/http://phpunit.vulnbusters.com/
Broken Link http://www.securityfocus.com/bid/101798
Broken Link http://www.securitytracker.com/id/1039812
Patch https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a5...
Patch https://github.com/sebastianbergmann/phpunit/pull/1956
Third Party Advisory https://security.gentoo.org/glsa/201711-15
Patch https://www.oracle.com/security-alerts/cpuoct2021.html
Third Party Advisory http://web.archive.org/web/20170701212357/http://phpunit.vulnbusters.com/
Broken Link http://www.securityfocus.com/bid/101798
Broken Link http://www.securitytracker.com/id/1039812
Patch https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a5...
Patch https://github.com/sebastianbergmann/phpunit/pull/1956
Third Party Advisory https://security.gentoo.org/glsa/201711-15
Patch https://www.oracle.com/security-alerts/cpuoct2021.html
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-...
66
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 27/34 · High
Exposure 7/34 · Low