Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05OWY5LWd2NzItZnc5cs4AA4_1
Bref Doesn't Support Multiple Value Headers in ApiGatewayFormatV2
Impacted Resources
bref/src/Event/Http/HttpResponse.php:61-90
Description
When Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers.
Precisely, if PHP generates a response with two headers having the same key but different values only the latest one is kept.
Impact
If an application relies on multiple headers with the same key being set for security reasons, then Bref would lower the application security.
For example, if an application sets multiple Content-Security-Policy headers, then Bref would just reflect the latest one.
PoC
- Create a new Bref project.
- Create an
index.phpfile with the following content:
<?php
header("Content-Security-Policy: script-src 'none'", false);
header("Content-Security-Policy: img-src 'self'", false);
?>
<script>alert(document.domain)</script>
<img src="https://bref.sh/favicon-32x32.png">
- Use the following
serverless.ymlto deploy the Lambda:
service: app
provider:
name: aws
region: eu-central-1
plugins:
- ./vendor/bref/bref
functions:
api:
handler: index.php
description: ''
runtime: php-81-fpm
timeout: 28 # in seconds (API Gateway has a timeout of 29 seconds)
events:
- httpApi: '*'
# Exclude files from deployment
package:
patterns:
- '!node_modules/**'
- '!tests/**'
- Browse the Lambda URL.
- Notice that the JavaScript code is executed as the
Content-Security-Policy: script-src 'none'header has been removed. - Notice that the external image has not been loaded as the
Content-Security-Policy: img-src 'self'header has been kept. - Start a PHP server inside the project directory (e.g.
php -S 127.0.0.1:8090). - Browse the
index.phpscript through the PHP server (e.g. http://127.0.0.1:8090/index.php). - Notice that the JavaScript code is not executed as the
Content-Security-Policy: script-src 'none'header has been kept. - Notice that the external image has not been loaded as the
Content-Security-Policy: img-src 'self'header has been kept.
Suggested Remediation
Concatenate all the multiple value headers' values with a comma (,) as separator and return a single header with all the values to the API Gateway.
References
Permalink: https://github.com/advisories/GHSA-99f9-gv72-fw9rJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05OWY5LWd2NzItZnc5cs4AA4_1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 10 months ago
Updated: 10 months ago
CVSS Score: 4.8
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Identifiers: GHSA-99f9-gv72-fw9r, CVE-2024-24753
References:
- https://github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r
- https://nvd.nist.gov/vuln/detail/CVE-2024-24753
- https://github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc
- https://github.com/brefphp/bref/blob/2.1.12/src/Event/Http/HttpResponse.php#L61-L90
- https://github.com/advisories/GHSA-99f9-gv72-fw9r
Blast Radius: 11.6
Affected Packages
packagist:bref/bref
Dependent packages: 41Dependent repositories: 267
Downloads: 5,595,628 total
Affected Version Ranges: < 2.1.13
Fixed in: 2.1.13
All affected versions: 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.2.10, 0.2.11, 0.2.12, 0.2.13, 0.2.14, 0.2.15, 0.2.16, 0.2.17, 0.2.18, 0.2.19, 0.2.20, 0.2.21, 0.2.22, 0.2.23, 0.2.24, 0.2.25, 0.2.26, 0.2.27, 0.2.28, 0.2.29, 0.2.30, 0.2.31, 0.2.32, 0.2.33, 0.2.34, 0.2.35, 0.2.36, 0.2.37, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.4.0, 0.4.1, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.5.7, 0.5.8, 0.5.9, 0.5.10, 0.5.11, 0.5.12, 0.5.13, 0.5.14, 0.5.15, 0.5.16, 0.5.17, 0.5.18, 0.5.19, 0.5.20, 0.5.21, 0.5.22, 0.5.23, 0.5.24, 0.5.25, 0.5.26, 0.5.27, 0.5.28, 0.5.29, 0.5.30, 0.5.31, 0.5.32, 0.5.33, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.2.10, 1.2.11, 1.2.12, 1.2.13, 1.2.14, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.6.0, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.7.9, 1.7.10, 1.7.11, 1.7.12, 1.7.13, 1.7.14, 1.7.15, 1.7.16, 1.7.17, 1.7.18, 1.7.19, 1.7.20, 1.7.21, 1.7.22, 1.7.23, 1.7.24, 1.7.25, 1.7.26, 1.7.27, 1.7.28, 1.7.29, 1.7.30, 1.7.31, 1.7.32, 1.7.33, 1.7.34, 1.7.35, 1.7.36, 1.7.37, 1.7.38, 1.7.39, 1.7.40, 1.7.41, 1.7.42, 1.7.43, 1.7.44, 1.7.45, 1.7.46, 1.7.47, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12
All unaffected versions: 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.1.17, 2.1.18, 2.1.19, 2.1.20, 2.1.21, 2.1.22, 2.1.23, 2.1.24, 2.1.25, 2.2.0, 2.2.1, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.3.10