[GHSA-r7c9-c69m-rph8] Code injection in PHPUnit

[donatj]

Updates

• Affected products

---

The vulnerability was added with this commit - sebastianbergmann/phpunit@3aaddb1

You can see from the tags on that commit that it was added in 4.8.19 and no earlier.

[shelbyc]

Good afternoon. Do you have a reference that indicates sebastianbergmann/phpunit@3aaddb1 marks the introduction of the vulnerability?

[donatj]

So a lot of sources say "PHPUnit before 4.8.28" I think it just a lazy way of saying "we didn't want to bother checking old versions"

That file didn't exist until 2015 but PHP Unit's first release was in 2006.

From https://nvd.nist.gov/vuln/detail/CVE-2017-9841

external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI

If you compare the src/Util/PHP directory across releases, that file with the nasty dangerous eval was added in 4.8.19 - it did not exist prior to that and thus the bug did not exist.

• https://github.com/sebastianbergmann/phpunit/tree/4.8.18/src/Util/PHP - 4.8.18 does not contain eval-stdin.php
• https://github.com/sebastianbergmann/phpunit/tree/4.8.19/src/Util/PHP - 4.8.19 does contain eval-stdin.php

The file itself was added in this PR - sebastianbergmann/phpunit#1956

[shelbyc]

Thank you for all the information and providing links! I've added 4.8.19 as the earliest vulnerable version and changed the description to include it. The commit and pull request that introduced the vulnerability are also reference links now.

[advisory-database]

Hi @donatj! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!