Skip to content

Some autoupgrade module ZIP archives were vulnerable from CVE-2017-9841

High
matks published GHSA-wqq8-mqj9-697f Jan 7, 2020

Package

No package listed

Affected versions

4.0.0 to 4.3.0

Patched versions

4.10.1

Description

Impact

We have identified that some autoupgrade module ZIP archives have been built with phpunit dev dependencies. PHPUnit contains a php script that would allow, on a webserver, an attacker to perform a RCE.

This vulnerability impacts

  • phpunit before 4.8.28 and 5.x before 5.6.3 as reported in CVE-2017-9841
  • phpunit >= 5.63 before 7.5.19 and 8.5.1 (this is a newly found vulnerability that is currently being submitted as a CVE after disclosure was provided to phpunit maintainers)

You can read PrestaShop official statement about this vulnerability here.

Patches

In the security patch, we look for the unwanted vendor/phpunit folder and remove it if we find it. This allows users to fix the security issue when upgrading.

Workarounds

Users can also simply remove the unwanted vendor/phpunit folder.

References

https://nvd.nist.gov/vuln/detail/CVE-2017-9841

For more information

If you have any questions or comments about this advisory, email us at security@prestashop.com

Severity

High

CVE ID

No known CVE

Weaknesses

No CWEs