SCA: security update for bref/bref (GHSA-x4hh-frx8-98r5)

medium Tenable Cloud Security Plugin ID 420283

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Bref enable serverless PHP on AWS Lambda. When Bref is used with the Event-Driven Function runtime and the
handler is a `RequestHandlerInterface`, then the Lambda event is converted to a PSR7 object. During the
conversion process, if the request is a MultiPart, each part is parsed and for each which contains a file,
it is extracted and saved in `/tmp` with a random filename starting with `bref_upload_`. The flow mimics
what plain PHP does but it does not delete the temporary files when the request has been processed. An
attacker could fill the Lambda instance disk by performing multiple MultiPart requests containing files.
This vulnerability is patched in 2.1.13. (CVE-2024-24752)

See Also

https://github.com/advisories/GHSA-x4hh-frx8-98r5

Plugin Details

Severity: Medium

ID: 420283

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C

CVSS Score Source: CVE-2024-24752

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/1/2024

Vulnerability Publication Date: 2/1/2024

Reference Information

CVE: CVE-2024-24752