Candidate: CVE-2017-9841
PublicDate: 2017-06-27 17:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9841
 http://phpunit.vulnbusters.com/
 https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5
 https://github.com/sebastianbergmann/phpunit/pull/1956
Description:
 Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3
 allows remote attackers to execute arbitrary PHP code via HTTP POST data
 beginning with a "<?php " substring, as demonstrated by an attack on a site
 with an exposed /vendor folder, i.e., external access to the
 /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.
Ubuntu-Description:
Notes:
Bugs:
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]

Patches_phpunit:
upstream_phpunit: released (5.4.6-2, 5.4.6-2~deb9u1)
precise/esm_phpunit: DNE
trusty_phpunit: not-affected (code not present)
trusty/esm_phpunit: DNE (trusty was not-affected [code not present])
vivid/ubuntu-core_phpunit: DNE
xenial_phpunit: ignored (end of standard support, was needed)
yakkety_phpunit: ignored (reached end-of-life)
zesty_phpunit: ignored (reached end-of-life)
artful_phpunit: ignored (reached end-of-life)
bionic_phpunit: not-affected (6.5.5-1ubuntu2)
cosmic_phpunit: not-affected (6.5.5-1ubuntu2)
disco_phpunit: not-affected (6.5.5-1ubuntu2)
eoan_phpunit: not-affected (6.5.5-1ubuntu2)
focal_phpunit: not-affected (6.5.5-1ubuntu2)
groovy_phpunit: not-affected (6.5.5-1ubuntu2)
hirsute_phpunit: not-affected (6.5.5-1ubuntu2)
impish_phpunit: not-affected (6.5.5-1ubuntu2)
jammy_phpunit: not-affected (6.5.5-1ubuntu2)
devel_phpunit: not-affected (6.5.5-1ubuntu2)