Vulnerability-Lookup

CVE-2024-24753 (GCVE-0-2024-24753)

Vulnerability from cvelistv5 – Published: 2024-02-01 16:09 – Updated: 2025-06-17 14:36

Title

Bref Multiple Value Headers Not Supported in ApiGatewayFormatV2

Summary

Bref enable serverless PHP on AWS Lambda. When Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers. If PHP generates a response with two headers having the same key but different values only the latest one is kept. If an application relies on multiple headers with the same key being set for security reasons, then Bref would lower the application security. For example, if an application sets multiple `Content-Security-Policy` headers, then Bref would just reflect the latest one. This vulnerability is patched in 2.1.13.

Severity ?

4.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE

CWE-436 - Interpretation Conflict

Assigner

GitHub_M

References

URL

Tags

	https://github.com/brefphp/bref/security/advisori…	x_refsource_CONFIRM
	https://github.com/brefphp/bref/commit/f834027aaf…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	brefphp	bref	Affected: < 2.1.13

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T23:28:12.549Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r"
          },
          {
            "name": "https://github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-24753",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-02-21T19:51:56.622014Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-17T14:36:33.763Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "bref",
          "vendor": "brefphp",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.1.13"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Bref enable serverless PHP on AWS Lambda. When Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers. If PHP generates a response with two headers having the same key but different values only the latest one is kept. If an application relies on multiple headers with the same key being set for security reasons, then Bref would lower the application security. For example, if an application sets multiple `Content-Security-Policy` headers, then Bref would just reflect the latest one. This vulnerability is patched in 2.1.13."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-436",
              "description": "CWE-436: Interpretation Conflict",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-02-01T20:25:07.428Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r"
        },
        {
          "name": "https://github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc"
        }
      ],
      "source": {
        "advisory": "GHSA-99f9-gv72-fw9r",
        "discovery": "UNKNOWN"
      },
      "title": "Bref Multiple Value Headers Not Supported in ApiGatewayFormatV2"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-24753",
    "datePublished": "2024-02-01T16:09:55.328Z",
    "dateReserved": "2024-01-29T20:51:26.009Z",
    "dateUpdated": "2025-06-17T14:36:33.763Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-24753\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-02-01T16:17:14.690\",\"lastModified\":\"2024-11-21T08:59:37.730\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Bref enable serverless PHP on AWS Lambda. When Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers. If PHP generates a response with two headers having the same key but different values only the latest one is kept. If an application relies on multiple headers with the same key being set for security reasons, then Bref would lower the application security. For example, if an application sets multiple `Content-Security-Policy` headers, then Bref would just reflect the latest one. This vulnerability is patched in 2.1.13.\"},{\"lang\":\"es\",\"value\":\"Bref habilita PHP sin servidor en AWS Lambda. Cuando Bref se usa en combinaci\u00f3n con una API Gateway con el formato v2, no maneja encabezados de valores m\u00faltiples. Si PHP genera una respuesta con dos encabezados que tienen la misma clave pero valores diferentes, solo se conserva el \u00faltimo. Si una aplicaci\u00f3n se basa en varios encabezados con la misma clave configurada por razones de seguridad, Bref reducir\u00eda la seguridad de la aplicaci\u00f3n. Por ejemplo, si una aplicaci\u00f3n establece varios encabezados \\\"Content-Security-Policy\\\", Bref solo reflejar\u00e1 el \u00faltimo. Esta vulnerabilidad est\u00e1 parcheada en 2.1.13.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":2.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-436\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mnapoli:bref:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.1.13\",\"matchCriteriaId\":\"D8473D9F-5007-4ADC-B256-FD331BB522A0\"}]}]}],\"references\":[{\"url\":\"https://github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r\", \"name\": \"https://github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc\", \"name\": \"https://github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T23:28:12.549Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-24753\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-02-21T19:51:56.622014Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-17T14:36:29.177Z\"}}], \"cna\": {\"title\": \"Bref Multiple Value Headers Not Supported in ApiGatewayFormatV2\", \"source\": {\"advisory\": \"GHSA-99f9-gv72-fw9r\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"brefphp\", \"product\": \"bref\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.1.13\"}]}], \"references\": [{\"url\": \"https://github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r\", \"name\": \"https://github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc\", \"name\": \"https://github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Bref enable serverless PHP on AWS Lambda. When Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers. If PHP generates a response with two headers having the same key but different values only the latest one is kept. If an application relies on multiple headers with the same key being set for security reasons, then Bref would lower the application security. For example, if an application sets multiple `Content-Security-Policy` headers, then Bref would just reflect the latest one. This vulnerability is patched in 2.1.13.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-436\", \"description\": \"CWE-436: Interpretation Conflict\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-02-01T20:25:07.428Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-24753\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-17T14:36:33.763Z\", \"dateReserved\": \"2024-01-29T20:51:26.009Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-02-01T16:09:55.328Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GSD-2024-24753

Vulnerability from gsd - Updated: 2024-01-30 06:03

Details

Aliases

CVE-2024-24753

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-24753"
      ],
      "details": "Bref enable serverless PHP on AWS Lambda. When Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers. If PHP generates a response with two headers having the same key but different values only the latest one is kept. If an application relies on multiple headers with the same key being set for security reasons, then Bref would lower the application security. For example, if an application sets multiple `Content-Security-Policy` headers, then Bref would just reflect the latest one. This vulnerability is patched in 2.1.13.",
      "id": "GSD-2024-24753",
      "modified": "2024-01-30T06:03:12.483810Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2024-24753",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "bref",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 2.1.13"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "brefphp"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Bref enable serverless PHP on AWS Lambda. When Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers. If PHP generates a response with two headers having the same key but different values only the latest one is kept. If an application relies on multiple headers with the same key being set for security reasons, then Bref would lower the application security. For example, if an application sets multiple `Content-Security-Policy` headers, then Bref would just reflect the latest one. This vulnerability is patched in 2.1.13."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-436",
                "lang": "eng",
                "value": "CWE-436: Interpretation Conflict"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r",
            "refsource": "MISC",
            "url": "https://github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r"
          },
          {
            "name": "https://github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc",
            "refsource": "MISC",
            "url": "https://github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-99f9-gv72-fw9r",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:mnapoli:bref:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "D8473D9F-5007-4ADC-B256-FD331BB522A0",
                    "versionEndExcluding": "2.1.13",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "Bref enable serverless PHP on AWS Lambda. When Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers. If PHP generates a response with two headers having the same key but different values only the latest one is kept. If an application relies on multiple headers with the same key being set for security reasons, then Bref would lower the application security. For example, if an application sets multiple `Content-Security-Policy` headers, then Bref would just reflect the latest one. This vulnerability is patched in 2.1.13."
          },
          {
            "lang": "es",
            "value": "Bref habilita PHP sin servidor en AWS Lambda. Cuando Bref se usa en combinaci\u00f3n con una API Gateway con el formato v2, no maneja encabezados de valores m\u00faltiples. Si PHP genera una respuesta con dos encabezados que tienen la misma clave pero valores diferentes, solo se conserva el \u00faltimo. Si una aplicaci\u00f3n se basa en varios encabezados con la misma clave configurada por razones de seguridad, Bref reducir\u00eda la seguridad de la aplicaci\u00f3n. Por ejemplo, si una aplicaci\u00f3n establece varios encabezados \"Content-Security-Policy\", Bref solo reflejar\u00e1 el \u00faltimo. Esta vulnerabilidad est\u00e1 parcheada en 2.1.13."
          }
        ],
        "id": "CVE-2024-24753",
        "lastModified": "2024-02-09T01:46:12.560",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 2.5,
              "source": "nvd@nist.gov",
              "type": "Primary"
            },
            {
              "cvssData": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 2.2,
              "impactScore": 2.5,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-02-01T16:17:14.690",
        "references": [
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Patch"
            ],
            "url": "https://github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Exploit",
              "Vendor Advisory"
            ],
            "url": "https://github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Analyzed",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-436"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

FKIE_CVE-2024-24753

Vulnerability from fkie_nvd - Published: 2024-02-01 16:17 - Updated: 2024-11-21 08:59

Severity ?

4.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc	Patch
security-advisories@github.com	https://github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	mnapoli	bref	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mnapoli:bref:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D8473D9F-5007-4ADC-B256-FD331BB522A0",
              "versionEndExcluding": "2.1.13",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Bref enable serverless PHP on AWS Lambda. When Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers. If PHP generates a response with two headers having the same key but different values only the latest one is kept. If an application relies on multiple headers with the same key being set for security reasons, then Bref would lower the application security. For example, if an application sets multiple `Content-Security-Policy` headers, then Bref would just reflect the latest one. This vulnerability is patched in 2.1.13."
    },
    {
      "lang": "es",
      "value": "Bref habilita PHP sin servidor en AWS Lambda. Cuando Bref se usa en combinaci\u00f3n con una API Gateway con el formato v2, no maneja encabezados de valores m\u00faltiples. Si PHP genera una respuesta con dos encabezados que tienen la misma clave pero valores diferentes, solo se conserva el \u00faltimo. Si una aplicaci\u00f3n se basa en varios encabezados con la misma clave configurada por razones de seguridad, Bref reducir\u00eda la seguridad de la aplicaci\u00f3n. Por ejemplo, si una aplicaci\u00f3n establece varios encabezados \"Content-Security-Policy\", Bref solo reflejar\u00e1 el \u00faltimo. Esta vulnerabilidad est\u00e1 parcheada en 2.1.13."
    }
  ],
  "id": "CVE-2024-24753",
  "lastModified": "2024-11-21T08:59:37.730",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 2.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.5,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-02-01T16:17:14.690",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-436"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-99F9-GV72-FW9R

Vulnerability from github – Published: 2024-02-01 20:53 – Updated: 2024-02-01 20:53

Summary

Bref Doesn't Support Multiple Value Headers in ApiGatewayFormatV2

Details

Impacted Resources

bref/src/Event/Http/HttpResponse.php:61-90

Description

When Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers.

Precisely, if PHP generates a response with two headers having the same key but different values only the latest one is kept.

Impact

If an application relies on multiple headers with the same key being set for security reasons, then Bref would lower the application security.

For example, if an application sets multiple Content-Security-Policy headers, then Bref would just reflect the latest one.

PoC

Create a new Bref project.
Create an index.php file with the following content:

<?php
header("Content-Security-Policy: script-src 'none'", false);
header("Content-Security-Policy: img-src 'self'", false);
?>
<script>alert(document.domain)</script>
<img src="https://bref.sh/favicon-32x32.png">

Use the following serverless.yml to deploy the Lambda:

service: app

provider:
    name: aws
    region: eu-central-1

plugins:
    - ./vendor/bref/bref

functions:
    api:
        handler: index.php
        description: ''
        runtime: php-81-fpm
        timeout: 28 # in seconds (API Gateway has a timeout of 29 seconds)
        events:
            -   httpApi: '*'

# Exclude files from deployment
package:
    patterns:
        - '!node_modules/**'
        - '!tests/**'

Browse the Lambda URL.
Notice that the JavaScript code is executed as the Content-Security-Policy: script-src 'none' header has been removed.
Notice that the external image has not been loaded as the Content-Security-Policy: img-src 'self' header has been kept.
Start a PHP server inside the project directory (e.g. php -S 127.0.0.1:8090).
Browse the index.php script through the PHP server (e.g. http://127.0.0.1:8090/index.php).
Notice that the JavaScript code is not executed as the Content-Security-Policy: script-src 'none' header has been kept.
Notice that the external image has not been loaded as the Content-Security-Policy: img-src 'self' header has been kept.

Suggested Remediation

Concatenate all the multiple value headers' values with a comma (,) as separator and return a single header with all the values to the API Gateway.

References

https://www.rfc-editor.org/rfc/rfc9110.html#section-5.2

Severity ?

4.8 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "bref/bref"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-24753"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-436"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-01T20:53:08Z",
    "nvd_published_at": "2024-02-01T16:17:14Z",
    "severity": "MODERATE"
  },
  "details": "## Impacted Resources\n\nbref/src/Event/Http/HttpResponse.php:61-90\n\n## Description\n\nWhen Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers.\n\nPrecisely, if PHP generates a response with two headers having the same key but different values only the latest one is kept.\n\n## Impact\n\nIf an application relies on multiple headers with the same key being set for security reasons, then Bref would lower the application security.\n\nFor example, if an application sets multiple `Content-Security-Policy` headers, then Bref would just reflect the latest one.\n\n## PoC\n\n1. Create a new Bref project.\n2. Create an `index.php` file with the following content:\n```php\n\u003c?php\nheader(\"Content-Security-Policy: script-src \u0027none\u0027\", false);\nheader(\"Content-Security-Policy: img-src \u0027self\u0027\", false);\n?\u003e\n\u003cscript\u003ealert(document.domain)\u003c/script\u003e\n\u003cimg src=\"https://bref.sh/favicon-32x32.png\"\u003e\n```\n3. Use the following `serverless.yml` to deploy the Lambda:\n```yaml\nservice: app\n\nprovider:\n    name: aws\n    region: eu-central-1\n\nplugins:\n    - ./vendor/bref/bref\n\nfunctions:\n    api:\n        handler: index.php\n        description: \u0027\u0027\n        runtime: php-81-fpm\n        timeout: 28 # in seconds (API Gateway has a timeout of 29 seconds)\n        events:\n            -   httpApi: \u0027*\u0027\n\n# Exclude files from deployment\npackage:\n    patterns:\n        - \u0027!node_modules/**\u0027\n        - \u0027!tests/**\u0027\n```\n4. Browse the Lambda URL.\n5. Notice that the JavaScript code is executed as the `Content-Security-Policy: script-src \u0027none\u0027` header has been removed.\n6. Notice that the external image has not been loaded as the `Content-Security-Policy: img-src \u0027self\u0027` header has been kept.\n7. Start a PHP server inside the project directory (e.g. `php -S 127.0.0.1:8090`).\n8. Browse the `index.php` script through the PHP server (e.g. http://127.0.0.1:8090/index.php).\n9. Notice that the JavaScript code is not executed as the `Content-Security-Policy: script-src \u0027none\u0027` header has been kept.\n10. Notice that the external image has not been loaded as the `Content-Security-Policy: img-src \u0027self\u0027` header has been kept.\n\n## Suggested Remediation\n\nConcatenate all the multiple value headers\u0027 values with a comma (`,`) as separator and return a single header with all the values to the API Gateway.\n\n## References\n\n- https://www.rfc-editor.org/rfc/rfc9110.html#section-5.2",
  "id": "GHSA-99f9-gv72-fw9r",
  "modified": "2024-02-01T20:53:08Z",
  "published": "2024-02-01T20:53:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24753"
    },
    {
      "type": "WEB",
      "url": "https://github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/brefphp/bref"
    },
    {
      "type": "WEB",
      "url": "https://github.com/brefphp/bref/blob/2.1.12/src/Event/Http/HttpResponse.php#L61-L90"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Bref Doesn\u0027t Support Multiple Value Headers in ApiGatewayFormatV2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-24753 (GCVE-0-2024-24753)

GSD-2024-24753

FKIE_CVE-2024-24753

GHSA-99F9-GV72-FW9R

Impacted Resources

Description

Impact

PoC

Suggested Remediation

References

Tags

Sightings

Nomenclature