CVE-2023-27372

NameCVE-2023-27372
DescriptionSPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3347-1, DSA-5367-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
spip (PTS)jessie, jessie (lts)3.0.17-2+deb8u5vulnerable
stretch (security), stretch (lts), stretch3.1.4-4~deb9u5vulnerable
buster (security), buster, buster (lts)3.2.4-1+deb10u13fixed
bullseye3.2.11-3+deb11u10fixed
bullseye (security)3.2.11-3+deb11u7fixed
sid, trixie4.3.3+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
spipsourcejessie(unfixed)end-of-life
spipsourcestretch(unfixed)end-of-life
spipsourcebuster3.2.4-1+deb10u10DLA-3347-1
spipsourcebullseye3.2.11-3+deb11u7DSA-5367-1
spipsource(unstable)4.1.8+dfsg-1

Notes

https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-2-1-SPIP-4-1-8-SPIP-4-0-10-et.html
https://git.spip.net/spip/spip/commit/5aedf49b89415a4df3eb775eee3801a2b4b88266 (v3.2.18)
https://git.spip.net/spip/spip/commit/96fbeb38711c6706e62457f2b732a652a04a409d (master)
https://blog.spip.net/Mise-a-jour-sortie-de-SPIP-4-2-2-SPIP-4-1-9-SPIP-4-0-11-et-SPIP-3-2-19.html (regression update)
https://git.spip.net/spip/svp/commit/d463bc549b13bc45651051f83760e8ce274c98d9 (SVP, regression fix)

Search for package or bug name: Reporting problems