cbcvebase.
CVE-2023-41330
published 2023-09-06

CVE-2023-41330: knplabs/knp-snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. ## Issue On March 17th the vulnerability…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.88%
76.8th percentile
knplabs/knp-snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page.
## Issue

On March 17th the vulnerability CVE-2023-28115 was disclosed, allowing an attacker to gain remote code execution through PHAR deserialization. Version 1.4.2 added a check `if (\strpos($filename, 'phar://') === 0)` in the `prepareOutput` function to resolve this CVE, however if the user is able to control the second parameter of the `generateFromHtml()` function of Snappy, it will then be passed as the `$filename` parameter in the `prepareOutput()` function. In the original vulnerability, a file name with a `phar://` wrapper could be sent to the `fileExists()` function, equivalent to the `file_exists()` PHP function. This allowed users to trigger a deserialization on arbitrary PHAR files. To fix this issue, the string is now passed to the `strpos()` function and if it starts with `phar://`, an exception is raised. However, PHP wrappers being case insensitive, this patch can be bypassed using `PHAR://` instead of `phar://`. A successful exploitation of this vulnerability allows executing arbitrary code and accessing the underlying filesystem. The attacker must be able to upload a file and the server must be running a PHP version prior to 8. This issue has been addressed in commit `d3b742d61a` which has been included in version 1.4.3. Users are advised to upgrade. Users unable to upgrade should ensure that only trusted users may submit data to the `AbstractGenerator->generate(...)` function.

Affected

3 ranges
VendorProductVersion rangeFixed in
knplabsknp-snappy>= 0 < 1.4.31.4.3
knplabssnappy< 1.4.31.4.3
msrcazl3_snappy_1.1.10-2_on_azure_linux_3.0

Detection & IOCsextracted from sources · hover to see the quote

commandPHAR://
hashd3b742d61a
  • Detect PHAR wrapper bypass via case-insensitive variants (e.g., PHAR://) passed as the second parameter to generateFromHtml() or as $filename in prepareOutput()
  • Monitor for PHAR deserialization attempts via file_exists()-equivalent calls (fileExists()) with attacker-controlled filenames containing phar:// or PHAR:// wrappers
  • Flag exploitation attempts where user-controlled input reaches AbstractGenerator->generate(...) with PHAR-scheme filenames
  • Exploitation requires a prior file upload step; correlate suspicious file uploads with subsequent PHAR deserialization triggers on PHP versions prior to 8
  • ·Exploitation is limited to PHP versions prior to 8; environments running PHP 8+ are not affected by this specific PHAR deserialization vector

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_msrc9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.