Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Bref Uploaded Files Not Deleted in Event-Driven Functions
Vulnerability Description
Bref enable serverless PHP on AWS Lambda. When Bref is used with the Event-Driven Function runtime and the handler is a `RequestHandlerInterface`, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is parsed and for each which contains a file, it is extracted and saved in `/tmp` with a random filename starting with `bref_upload_`. The flow mimics what plain PHP does but it does not delete the temporary files when the request has been processed. An attacker could fill the Lambda instance disk by performing multiple MultiPart requests containing files. This vulnerability is patched in 2.1.13.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Vulnerability Type
未加控制的资源消耗(资源穷尽)
Vulnerability Title
Bref 资源管理错误漏洞
Vulnerability Description
Bref是Matthieu Napoli个人开发者的一个开源项目,可帮助您使用 PHP 在 AWS 上实现无服务器。 Bref 2.1.13之前版本存在资源管理错误漏洞,该漏洞源于在处理请求后不会删除临时文件。
CVSS Information
N/A
Vulnerability Type
N/A