⚠ Actively exploited

Added to CISA KEV on 2022-02-15. Federal agencies required to patch by 2022-08-15. Required action: Apply updates per vendor instructions..

CVE-2017-9841 — Code Injection in Project Phpunit

CWE-94 — Code Injection25 documents17 sources

Severity

9.8CRITICALNVD

EPSS

94.2%

top 0.08%

CISA KEV

KEV

Added 2022-02-15

Due 2022-08-15

Exploit

Exploited in wild

Active exploitation observed

Affected products

Phpunit Project Phpunit Phpunit Prestashop Autoupgrade +3 more

Timeline

PublishedJun 27

KEV addedFeb 15

KEV dueAug 15

Latest updateDec 18

CISA Required Action: Apply updates per vendor instructions.

Description

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages6 packages

▶Packagistphpunit/phpunit4.8.19 — 4.8.28+1

▶NVDphpunit_project/phpunit5.0.0 — 5.6.3+1

▶Packagistprestashop/autoupgrade4.0.0 — 4.10.1

▶Packagistprestashop/gamification< 2.3.2

▶Packagistprestashop/ps_facetedsearch< 3.4.1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

Code Injection in PHPUnit↗2022-03-26

▶

OSV

Code Injection in PHPUnit↗2022-03-26

▶

OSV

PrestaShop gamification module ZIP archives were vulnerable from CVE-2017-9841↗2020-01-08

▶

GHSA

PrestaShop autoupgrade module ZIP archives were vulnerable from CVE-2017-9841↗2020-01-08

▶

GHSA

PrestaShop gamification module ZIP archives were vulnerable from CVE-2017-9841↗2020-01-08

▶

💥Exploits & PoCs

Exploit-DB

PHP Unit 4.8.28 - Remote Code Execution (RCE) (Unauthenticated)↗2022-02-02

▶

Nuclei

PHPUnit - Remote Code Execution

▶

📋Vendor Advisories

Ubuntu

PHPUnit vulnerability↗2024-12-18

▶

CISA

PHPUnit Command Injection Vulnerability↗2022-02-15

▶

Oracle

Oracle Oracle Communications Risk Matrix: Signaling (PHP) — CVE-2017-9841↗2021-10-15

▶

Drupal

Various Third-Party Vulnerabilities - PSA-2019-09-04↗2019-09-04

▶

Debian

CVE-2017-9841: phpunit - Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows rem...↗2017

▶

🕵️Threat Intelligence

Unit42

Top CVEs to Patch: Insights from the 2022 Unit 42 Network Threat Trends Research Report↗2022-07-21

▶

📄Research Papers

CTF

Undetected / README↗

▶

💬Community

Bugzilla

CVE-2017-9841 php-phpunit-PHPUnit: allows attackers to execute arbitrary PHP code via HTTP POST data↗2020-01-28

▶

Bugzilla

CVE-2017-9841 php-phpunit-PHPUnit: allows attackers to execute arbitrary PHP code via HTTP POST data [epel-6]↗2020-01-28

▶