Home > Vulnerability Database > CVE-2024-24752

Mend.io Vulnerability Database

CVE-2024-24752

Good to know:

Date: February 1, 2024

Bref enable serverless PHP on AWS Lambda. When Bref is used with the Event-Driven Function runtime and the handler is a `RequestHandlerInterface`, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is parsed and for each which contains a file, it is extracted and saved in `/tmp` with a random filename starting with `bref_upload_`. The flow mimics what plain PHP does but it does not delete the temporary files when the request has been processed. An attacker could fill the Lambda instance disk by performing multiple MultiPart requests containing files. This vulnerability is patched in 2.1.13.

Language: PHP

Severity Score

6.5

Related Resources (4)

Url: https://github.com/brefphp/bref/commit/350788de12880b6fd64c4c318ba995388bec840e

Url: https://github.com/brefphp/bref/security/advisories/GHSA-x4hh-frx8-98r5

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-24752

Url: https://www.mend.io/vulnerability-database/CVE-2024-24752

Severity Score

6.5

Weakness Type (CWE)

Uncontrolled Resource Consumption ('Resource Exhaustion')

CWE-400

Top Fix

Upgrade Version

Upgrade to version 2.1.13

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-24752

Good to know:

Date: February 1, 2024

Language: PHP

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?