CVE-2024-8927

Updated: 2024-10-16 23:04:12.510749

Description:

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead to cgi.force_redirect option not being correctly applied. In certain configurations this may lead to arbitrary file inclusion in PHP.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x 0
CVSS Version 3.x HIGH 7.5

Status

OS name Project name Version Score Severity Status Errata Last updated
CentOS 6 ELS php 5.3.3 7.5 HIGH Released CLSA-2024:1729628500 2024-11-01 10:57:28
CentOS 7 ELS php 5.4.16 7.5 HIGH Released CLSA-2024:1729628764 2024-11-01 10:57:29
CentOS 8.4 ELS php 7.4.6 7.5 HIGH Released CLSA-2024:1729198334 2024-10-17 23:32:58
CentOS 8.5 ELS php 7.4.19 7.5 HIGH Released CLSA-2024:1729198655 2024-10-17 23:32:58
CentOS Stream 8 ELS php 7.2.24 7.5 HIGH Released CLSA-2024:1730134476 2024-10-28 14:30:46
CloudLinux 6 ELS php 5.3.3 7.5 HIGH In Rollout CLSA-2024:1730369579 2024-10-31 10:55:21
CloudLinux 7 ELS php 5.4.16 7.5 HIGH Released CLSA-2024:1729628314 2024-11-05 06:59:38
Oracle Linux 6 ELS php 5.3.3 7.5 HIGH Released CLSA-2024:1729626489 2024-10-22 17:34:09
Ubuntu 16.04 ELS php 7.0.33 7.5 HIGH Released CLSA-2024:1729626893 2024-10-22 17:34:10
Ubuntu 18.04 ELS php 7.2.24-0 7.5 HIGH Released CLSA-2024:1729627812 2024-10-22 17:34:11