In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could lead to legitimate data not being processed. This could lead to malicious attacker able to control part of the submitted data being able to exclude portion of other data, potentially leading to erroneous application behavior.
History

Thu, 12 Dec 2024 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux

Wed, 16 Oct 2024 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Php-fpm
Php-fpm php-fpm
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:php-fpm:php-fpm:*:*:*:*:*:*:*:*
Vendors & Products Php-fpm
Php-fpm php-fpm

Tue, 08 Oct 2024 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Php
Php php
CPEs cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
Vendors & Products Php
Php php
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 08 Oct 2024 03:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in PHP's parsing of multipart form data contents, which affects both file and input form data. This may lead to legitimate data not being processed, violating data integrity. For example, ff a multipart form data payload contains a valid prefix 'X' of the defined boundary B such that 5Kib < |X| < |B| < 8Kib, the logic responsible for parsing and storing the multipart payload fails to correctly extract the contents between two boundaries. In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could lead to legitimate data not being processed. This could lead to malicious attacker able to control part of the submitted data being able to exclude portion of other data, potentially leading to erroneous application behavior.
Title php: Erroneous parsing of multipart form data Erroneous parsing of multipart form data
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N'}

cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N'}


Tue, 08 Oct 2024 01:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in PHP's parsing of multipart form data contents, which affects both file and input form data. This may lead to legitimate data not being processed, violating data integrity. For example, ff a multipart form data payload contains a valid prefix 'X' of the defined boundary B such that 5Kib < |X| < |B| < 8Kib, the logic responsible for parsing and storing the multipart payload fails to correctly extract the contents between two boundaries.
Title php: Erroneous parsing of multipart form data
Weaknesses CWE-1286
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N'}

threat_severity

Moderate


cve-icon MITRE

Status: PUBLISHED

Assigner: php

Published: 2024-10-08T03:35:02.673Z

Updated: 2024-10-08T13:52:50.674Z

Reserved: 2024-09-17T03:59:29.523Z

Link: CVE-2024-8925

cve-icon Vulnrichment

Updated: 2024-10-08T12:56:56.974Z

cve-icon NVD

Status : Analyzed

Published: 2024-10-08T04:15:09.450

Modified: 2024-10-16T18:53:39.957

Link: CVE-2024-8925

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-10-07T00:00:00Z

Links: CVE-2024-8925 - Bugzilla