CVE-2021-23420
HIGHcodeception/codeception < 3.1.3 - Remote Code Execution via RunProcess Deserialization Gadget
Title source: llmDescription
This affects the package codeception/codeception from 4.0.0 and before 4.1.22, before 3.1.3. The RunProcess class can be leveraged as a gadget to run arbitrary commands on a system that is deserializing user input without validation.
References (4)
Core 4
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/JinYiTong/poc
Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-PHP-CODECEPTIONCODECEPTION-1324585
Broken Link x_refsource_misc
https://github.com/Codeception/Codeception/blob/4.1/ext/RunProcess.php%23L52
Patch, Third Party Advisory x_refsource_misc
https://github.com/Codeception/Codeception/pull/6241
Scores
CVSS v3
7.7
EPSS
0.0271
EPSS Percentile
84.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
Details
CWE
CWE-502
Status
published
Products (2)
codeception/codeception
< 3.1.3
codeception/codeception
0 - 3.1.3Packagist
Published
Aug 11, 2021
Tracked Since
Feb 18, 2026