CVE-2022-25481: Exposure of Resource to Wrong Sphere

March 21, 2022 (updated March 29, 2022)

ThinkPHP Framework v5.0.24 was discovered to be configured without the PATHINFO parameter. This allows attackers to access all system environment parameters from index.php.

References

github.com/Lyther/VulnDiscover/blob/master/Web/ThinkPHP_InfoLeak.md
nvd.nist.gov/vuln/detail/CVE-2022-25481

Code Behaviors & Features

Detect and mitigate CVE-2022-25481 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →