Vulnerability Description
This affects the package codeception/codeception from 4.0.0 and before 4.1.22, before 3.1.3. The RunProcess class can be leveraged as a gadget to run arbitrary commands on a system that is deserializing user input without validation.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Codeception | Codeception | < 3.1.3 |
Related Weaknesses (CWE)
References
- https://github.com/Codeception/Codeception/blob/4.1/ext/RunProcess.php%23L52Broken Link
- https://github.com/Codeception/Codeception/pull/6241PatchThird Party Advisory
- https://github.com/JinYiTong/pocExploitThird Party Advisory
- https://snyk.io/vuln/SNYK-PHP-CODECEPTIONCODECEPTION-1324585Third Party Advisory
- https://github.com/Codeception/Codeception/blob/4.1/ext/RunProcess.php%23L52Broken Link
- https://github.com/Codeception/Codeception/pull/6241PatchThird Party Advisory
- https://github.com/JinYiTong/pocExploitThird Party Advisory
- https://snyk.io/vuln/SNYK-PHP-CODECEPTIONCODECEPTION-1324585Third Party Advisory
FAQ
What is CVE-2021-23420?
CVE-2021-23420 is a vulnerability with a CVSS score of 7.7 (HIGH). This affects the package codeception/codeception from 4.0.0 and before 4.1.22, before 3.1.3. The RunProcess class can be leveraged as a gadget to run arbitrary commands on a system that is deserializi...
How severe is CVE-2021-23420?
CVE-2021-23420 has been rated HIGH with a CVSS base score of 7.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-23420?
Check the references section above for vendor advisories and patch information. Affected products include: Codeception Codeception.