GHSA-r7c9-c69m-rph8

Source

https://github.com/advisories/GHSA-r7c9-c69m-rph8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-r7c9-c69m-rph8/GHSA-r7c9-c69m-rph8.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-r7c9-c69m-rph8

Aliases

CVE-2017-9841

Published

2022-03-26T00:19:30Z

Modified

2025-10-22T17:47:49.874745Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H CVSS Calculator

Summary

Code Injection in PHPUnit

Details

Util/PHP/eval-stdin.php in PHPUnit starting with 4.8.19 and before 4.8.28, as well as 5.x before 5.6.3, allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a <?php substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.

Database specific

{
    "github_reviewed": true,
    "severity": "CRITICAL",
    "nvd_published_at": "2017-06-27T17:29:00Z",
    "github_reviewed_at": "2022-03-26T00:19:30Z",
    "cwe_ids": [
        "CWE-94"
    ]
}

References

Affected packages

Packagist / phpunit/phpunit

Package

Name: phpunit/phpunit
Purl: pkg:composer/phpunit/phpunit

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.8.19

Fixed

4.8.28

Affected versions

4.*

4.8.19

4.8.20

4.8.21

4.8.22

4.8.23

4.8.24

4.8.25

4.8.26

4.8.27

Packagist / phpunit/phpunit

Package

Name: phpunit/phpunit
Purl: pkg:composer/phpunit/phpunit

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.10

Fixed

5.6.3

Affected versions

5.*

5.0.10

5.1.0

5.1.1

5.1.2

5.1.3

5.1.4

5.1.5

5.1.6

5.1.7

5.2.0

5.2.1

5.2.2

5.2.3

5.2.4

5.2.5

5.2.6

5.2.7

5.2.8

5.2.9

5.2.10

5.2.11

5.2.12

5.3.0

5.3.1

5.3.2

5.3.3

5.3.4

5.3.5

5.4.0

5.4.1

5.4.2

5.4.3

5.4.4

5.4.5

5.4.6

5.4.7

5.4.8

5.5.0

5.5.1

5.5.2

5.5.3

5.5.4

5.5.5

5.5.6

5.5.7

5.6.0

5.6.1

5.6.2