CVE-2024-24753

01.02.2024, 16:17

Bref enable serverless PHP on AWS Lambda. When Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers. If PHP generates a response with two headers having the same key but different values only the latest one is kept. If an application relies on multiple headers with the same key being set for security reasons, then Bref would lower the application security. For example, if an application sets multiple `Content-Security-Policy` headers, then Bref would just reflect the latest one. This vulnerability is patched in 2.1.13.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.8 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
GitHub_M	CNA	4.8 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 35%

Vendor	Product	Version
mnapoli	bref	𝑥 < 2.1.13

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-436 - Interpretation Conflict
Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

References

https://github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc

https://github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r

https://github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc

https://github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r