CVE-2024-2961 about bookstack HOT 1 OPEN

Thanks @stefanman125,
Yeah, am aware, although frustratingly the actual impact is quite unclear, all that's been said so far is really this:

[...] On PHP however, it lead to amazing results: a new
exploitation technique that affects the whole PHP ecosystem, and the
compromission of several applications.

Which is quite vague. My best guess it maybe PHP's filter URIs (which include iconv) can be abused here, which has been a recent source of issues, but that's just a uneducated guess.

I don't really have a set process when it comes to vague potential vulnerabilities in underlying requirement dependencies, so thought I'd just advise system via our mastodon/twitter channels, was just waiting for debian to get something together which it looks like they've now done in the last day (RHEL still lagging a bit I think, but rocky has a workaround guide).

With this kind of thing, I have struggled knowing whether we should send a notice via the BookStack security alert mailing list. I usually use this when advising about BookStack specific changes and vulnerabilities in the app code (including updates to patched vulnerable dependencies), but I don't know where the scope exactly lies beyond that. It's not uncommon for vulnerabilities to appear in system dependencies, to the point I think it would be hard to track and cause notification/alert fatigue to notify on all potential cases, but it could make sense to report where there's a actual likely widespread impact; it's just hard to evaluate that if very little detail is provided like the case here.

This CVE seems to have got more attention that others, but it's hard to know if that's because there's actually significant known risk or because the little information/hint provided has been extrapolated out for attractive headlines/videos.

from bookstack.