Skip to content

PrestaShop autoupgrade module ZIP archives were vulnerable from CVE-2017-9841

High severity GitHub Reviewed Published Jan 7, 2020 in PrestaShop/autoupgrade • Updated Jan 9, 2023

Package

composer prestashop/autoupgrade (Composer)

Affected versions

>= 4.0.0, < 4.10.1

Patched versions

4.10.1

Description

Impact

We have identified that some autoupgrade module ZIP archives have been built with phpunit dev dependencies. PHPUnit contains a php script that would allow, on a webserver, an attacker to perform a RCE.

This vulnerability impacts

  • phpunit before 4.8.28 and 5.x before 5.6.3 as reported in CVE-2017-9841
  • phpunit >= 5.63 before 7.5.19 and 8.5.1 (this is a newly found vulnerability that is currently being submitted as a CVE after disclosure was provided to phpunit maintainers)

You can read PrestaShop official statement about this vulnerability here.

Patches

In the security patch, we look for the unwanted vendor/phpunit folder and remove it if we find it. This allows users to fix the security issue when upgrading.

Workarounds

Users can also simply remove the unwanted vendor/phpunit folder.

References

https://nvd.nist.gov/vuln/detail/CVE-2017-9841

For more information

If you have any questions or comments about this advisory, email us at security@prestashop.com

References

@matks matks published to PrestaShop/autoupgrade Jan 7, 2020
Reviewed Jan 8, 2020
Published to the GitHub Advisory Database Jan 8, 2020
Last updated Jan 9, 2023

Severity

High

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-wqq8-mqj9-697f

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.