GHSA-f884-gm86-cg3q

Suggest an improvement
Source
https://github.com/advisories/GHSA-f884-gm86-cg3q
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/01/GHSA-f884-gm86-cg3q/GHSA-f884-gm86-cg3q.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-f884-gm86-cg3q
Published
2020-01-07T17:20:47Z
Modified
2024-12-02T05:49:30.536297Z
Summary
PrestaShop module ps_facetedsearch might be vulnerable from CVE-2017-9841
Details

Impact

We have identified that some ps_facetedsearch module ZIP archives have been built with phpunit dev dependencies. PHPUnit contains a php script that would allow, on a webserver, an attacker to perform a RCE.

This vulnerability impacts - phpunit before 4.8.28 and 5.x before 5.6.3 as reported in CVE-2017-9841 - phpunit >= 5.63 before 7.5.19 and 8.5.1 (this is a newly found vulnerability that is currently being submitted as a CVE after disclosure was provided to phpunit maintainers)

Patches

In the security patch, we look for the unwanted vendor/phpunit folder and remove it if we find it. This allows users to fix the security issue when upgrading.

Workarounds

Users can also simply remove the unwanted vendor/phpunit folder.

References

https://nvd.nist.gov/vuln/detail/CVE-2017-9841

For more information

If you have any questions or comments about this advisory, email us at security@prestashop.com

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-01-07T17:20:13Z"
}
References

Affected packages

Packagist / prestashop/ps_facetedsearch

Package

Name
prestashop/ps_facetedsearch
Purl
pkg:composer/prestashop/ps_facetedsearch

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.4.1

Affected versions

v1.*

v1.0.1
v1.0.2

v2.*

v2.1.0
v2.1.1
v2.1.2
v2.2.0
v2.2.1

v3.*

v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.1.0
v3.2.0
v3.2.1
v3.3.0
v3.4.0