CVE-2024-11234

Updated: 2024-11-30 00:58:02.435306

Description:

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x 0
CVSS Version 3.x HIGH 7.2

Status

OS name Project name Version Score Severity Status Errata Last updated

Statement

CentOS 6 ELS php 5.3.3 7.2 HIGH In Testing CLSA-2024:1734039943 2024-12-11 16:22:21
CentOS 7 ELS php 5.4.16 7.2 HIGH Released CLSA-2024:1733158948 2024-12-12 11:56:16
CentOS 8.4 ELS php 7.4.6 7.2 HIGH Released CLSA-2024:1734006823 2024-12-12 11:56:15
CentOS 8.5 ELS php 7.4.19 7.2 HIGH In Testing 2024-12-03 05:30:43
CentOS Stream 8 ELS php 7.2.24 7.2 HIGH In Testing 2024-12-05 12:02:26
CloudLinux 6 ELS php 5.3.3 7.2 HIGH In Rollout CLSA-2024:1734030028 2024-12-12 16:23:42
CloudLinux 7 ELS php 5.4.16 7.2 HIGH Released CLSA-2024:1733158748 2024-12-12 11:56:16
Oracle Linux 6 ELS php 5.3.3 7.2 HIGH In Testing 2024-12-12 02:35:45
Oracle Linux 7 ELS php 5.4.16 7.2 HIGH In Testing 2024-12-05 12:02:19
Ubuntu 16.04 ELS php 7.0.33 7.2 HIGH Needs Triage 2024-11-21 07:33:57
Total: 11