CVE-2024-27355
high
CVSS v3
—
CVSS v2
—
VIR risk
8.0
Description
phpseclib guardrails needed on OID length
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2024-27355
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 2.0.42-1+deb12u2 |
| debian | bullseye | fixed | 2.0.30-2+deb11u2 |
| debian | forky | fixed | 2.0.47-1 |
| debian | sid | fixed | 2.0.47-1 |
| debian | trixie | fixed | 2.0.47-1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Packagist | phpseclib/phpseclib | >=2.0.0,<2.0.47 | 2.0.47 |
| Packagist | phpseclib/phpseclib | >=3.0.0,<3.0.36 | 3.0.36 |
| Packagist | phpseclib/phpseclib | >=0.1.1,<1.0.23 | 1.0.23 |
| Packagist | phpseclib/phpseclib | >=1.0.0,<1.0.23 | 1.0.23 |
| COMPOSER | phpseclib/phpseclib | >= 0.1.1, <= 1.0.22 | 1.0.23 |
| COMPOSER | phpseclib/phpseclib | >= 3.0.0, <= 3.0.35 | 3.0.36 |
| COMPOSER | phpseclib/phpseclib | >= 2.0.0, <= 2.0.46 | 2.0.47 |
References
- https://github.com/phpseclib/phpseclib/security/advisories/GHSA-f2qx-66wf-wvvx
- https://nvd.nist.gov/vuln/detail/CVE-2024-27355
- https://github.com/phpseclib/phpseclib/commit/e32531001b4d62c66c3d824ccef54ffad835eb59
- https://gist.github.com/katzj/ee72f3c2a00590812b2ea3c0c8890e0b
- https://github.com/FriendsOfPHP/security-advisories/blob/master/phpseclib/phpseclib/CVE-2024-27355.yaml
- https://github.com/phpseclib/phpseclib
- https://github.com/phpseclib/phpseclib/blob/978d081fe50ff92879c50ff143c62a143edb0117/phpseclib/File/ASN1.php#L1129
- https://lists.debian.org/debian-lts-announce/2024/03/msg00002.html
- https://lists.debian.org/debian-lts-announce/2024/03/msg00003.html
- https://security-tracker.debian.org/tracker/CVE-2024-27355
- https://github.com/advisories/GHSA-jr22-8qgm-4q87
- https://github.com/advisories/GHSA-f2qx-66wf-wvvx
Verify integrity in audit chain (admin only). AS-IS.