CVE-2017-9841

nvd nist nuclei

Published: Jun 27, 2017Modified: Apr 21, 2026CISA KEV

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.

Affected (3)

Products: Phpunit Project: Phpunit · Oracle: Communications Diameter Signaling Router

Phpunit Project

1 product

1 product

Communications Diameter Signaling Router

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Phpunit Project Phpunit	Up to 4.8.27
Phpunit Project Phpunit	From 5.0.0 to 5.6.3

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Oracle Communications Diameter Signaling Router	From 8.0.0 to 8.5.0

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (15)

http://web.archive.org/web/20170701212357/http://phpunit.vulnbusters.com/

Source: cve@mitre.org

Third Party Advisory

http://www.securityfocus.com/bid/101798

Source: cve@mitre.org

Broken Link

http://www.securitytracker.com/id/1039812

Source: cve@mitre.org

Broken Link

https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/sebastianbergmann/phpunit/pull/1956

Source: cve@mitre.org

PatchThird Party Advisory

https://security.gentoo.org/glsa/201711-15

Source: cve@mitre.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

Source: cve@mitre.org

PatchThird Party Advisory

http://web.archive.org/web/20170701212357/http://phpunit.vulnbusters.com/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

http://www.securityfocus.com/bid/101798

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

http://www.securitytracker.com/id/1039812

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/sebastianbergmann/phpunit/pull/1956

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://security.gentoo.org/glsa/201711-15

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-9841

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

US Government Resource

Timeline

No history available yet.