CVE-2024-11234

Updated: 2024-11-30 00:58:02.435306

Description:

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x 0
CVSS Version 3.x HIGH 7.2

Status

OS name Project name Version Score Severity Status Errata Last updated

Statement

EL 6 PHP php 7.0 7.2 HIGH In Testing 2025-01-08 23:37:15
EL 6 PHP php 8.0 7.2 HIGH In Testing 2025-01-13 23:38:06
EL 6 PHP php 7.3 7.2 HIGH In Testing 2025-01-08 23:37:24
EL 6 PHP php 8.2 7.2 HIGH Not Vulnerable 2025-01-13 23:38:05
EL 6 PHP php 5.1 7.2 HIGH In Testing 2024-12-23 22:29:09
EL 6 PHP php 5.2 7.2 HIGH In Testing 2024-12-23 22:29:09
EL 6 PHP php 7.2 7.2 HIGH In Testing 2025-01-08 23:37:24
EL 6 PHP php 7.1 7.2 HIGH In Testing 2025-01-08 23:37:15
EL 6 PHP php 5.3 7.2 HIGH In Testing 2024-12-23 22:29:09
EL 6 PHP php 5.4 7.2 HIGH In Testing 2024-12-23 22:29:09
Total: 86