Updated: 2025-11-10 02:47:12.000254
Description:
In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation that the hostname supplied does not contain null characters. This may lead to other functions like parse_url() treat the hostname in different way, thus opening way to security problems if the user code implements access checks before access using such functions.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | 0.0 | |
| CVSS Version 3.x | MEDIUM | 5.3 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| Oracle Linux 6 ELS | php | 5.3.3 | 5.3 | MEDIUM | Released | CLSA-2025:1753729863 | 2025-07-29 01:42:27 | |
| Oracle Linux 7 ELS | php | 5.4.16 | 5.3 | MEDIUM | Released | CLSA-2025:1753768680 | 2025-07-30 01:50:18 | |
| RHEL 7 ELS | php | 5.4.16 | 5.3 | MEDIUM | Released | CLSA-2025:1753769145 | 2025-07-30 01:50:15 | |
| TuxCare 9.6 ESU | php | 8.0.30 | 5.3 | MEDIUM | Released | CLSA-2026:1768411712 | 2026-01-15 02:05:29 | This flaw only matters when an application passes attacker-controlled hostnames containing a null by... |
| Ubuntu 16.04 ELS | php | 7.0.33 | 5.3 | MEDIUM | Ignored | 2025-09-10 21:20:25 | Ignored due to low severity | |
| Ubuntu 18.04 ELS | php | 7.2.24-0 | 5.3 | MEDIUM | Ignored | 2025-09-10 21:20:27 | Ignored due to low severity | |
| Ubuntu 20.04 ELS | php | 7.4.3 | 5.3 | MEDIUM | Ignored | 2025-07-22 00:48:55 | Ignored due to low severity |