Metrics
Affected Vendors & Products
Thu, 12 Dec 2024 02:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Redhat
Redhat enterprise Linux |
|
CPEs | cpe:/a:redhat:enterprise_linux:8 cpe:/a:redhat:enterprise_linux:9 |
|
Vendors & Products |
Redhat
Redhat enterprise Linux |
Wed, 16 Oct 2024 18:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Php-fpm
Php-fpm php-fpm |
|
Weaknesses | NVD-CWE-noinfo | |
CPEs | cpe:2.3:a:php-fpm:php-fpm:*:*:*:*:*:*:*:* | |
Vendors & Products |
Php-fpm
Php-fpm php-fpm |
Tue, 08 Oct 2024 14:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Php
Php php |
|
CPEs | cpe:2.3:a:php:php:*:*:*:*:*:*:*:* | |
Vendors & Products |
Php
Php php |
|
Metrics |
ssvc
|
Tue, 08 Oct 2024 04:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | A flaw was found in PHP. The configuration directive `cgi.force_redirect` prevents anyone from calling PHP directly with a URL such as http://host.example/cgi-bin/php/secretdir/script.php. However, in certain uncommon configurations, an attacker may be able to bypass this restriction and access php-cgi directly. | In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead to cgi.force_redirect option not being correctly applied. In certain configurations this may lead to arbitrary file inclusion in PHP. |
Title | php: cgi.force_redirect configuration is bypassable due to the environment variable collision | cgi.force_redirect configuration is bypassable due to the environment variable collision |
Metrics |
cvssV3_1
|
cvssV3_1
|
Tue, 08 Oct 2024 01:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | A flaw was found in PHP. The configuration directive `cgi.force_redirect` prevents anyone from calling PHP directly with a URL such as http://host.example/cgi-bin/php/secretdir/script.php. However, in certain uncommon configurations, an attacker may be able to bypass this restriction and access php-cgi directly. | |
Title | php: cgi.force_redirect configuration is bypassable due to the environment variable collision | |
Weaknesses | CWE-1220 | |
References |
| |
Metrics |
threat_severity
|
cvssV3_1
|
Status: PUBLISHED
Assigner: php
Published: 2024-10-08T03:56:31.849Z
Updated: 2024-10-08T13:52:19.615Z
Reserved: 2024-09-17T04:09:57.362Z
Link: CVE-2024-8927
Updated: 2024-10-08T12:56:03.439Z
Status : Analyzed
Published: 2024-10-08T04:15:10.867
Modified: 2024-10-16T18:28:34.573
Link: CVE-2024-8927