CVE-2024-24753

low-risk
Published 2024-02-01

Bref enable serverless PHP on AWS Lambda. When Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers. If PHP generates a response with two headers having the same key but different values only the latest one is kept. If an application relies on multiple headers with the same key being set for security reasons, then Bref would lower the application security. For example, if an application sets multiple `Content-Security-Policy` headers, then Bref would just reflect the latest one. This vulnerability is patched in 2.1.13.

Do I need to act?

-
0.19% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.8/10 Medium
NETWORK / HIGH complexity

Affected Products (1)

Bref

Affected Vendors

Mnapoli

References (4)

Patch https://github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc
Exploit https://github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r
Patch https://github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc
Exploit https://github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r
21
/ 100
low-risk
Severity 15/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal