In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead to cgi.force_redirect option not being correctly applied. In certain configurations this may lead to arbitrary file inclusion in PHP.
History

Thu, 12 Dec 2024 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux

Wed, 16 Oct 2024 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Php-fpm
Php-fpm php-fpm
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:php-fpm:php-fpm:*:*:*:*:*:*:*:*
Vendors & Products Php-fpm
Php-fpm php-fpm

Tue, 08 Oct 2024 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Php
Php php
CPEs cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
Vendors & Products Php
Php php
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 08 Oct 2024 04:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in PHP. The configuration directive `cgi.force_redirect` prevents anyone from calling PHP directly with a URL such as http://host.example/cgi-bin/php/secretdir/script.php. However, in certain uncommon configurations, an attacker may be able to bypass this restriction and access php-cgi directly. In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead to cgi.force_redirect option not being correctly applied. In certain configurations this may lead to arbitrary file inclusion in PHP.
Title php: cgi.force_redirect configuration is bypassable due to the environment variable collision cgi.force_redirect configuration is bypassable due to the environment variable collision
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}


Tue, 08 Oct 2024 01:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in PHP. The configuration directive `cgi.force_redirect` prevents anyone from calling PHP directly with a URL such as http://host.example/cgi-bin/php/secretdir/script.php. However, in certain uncommon configurations, an attacker may be able to bypass this restriction and access php-cgi directly.
Title php: cgi.force_redirect configuration is bypassable due to the environment variable collision
Weaknesses CWE-1220
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

threat_severity

Moderate


cve-icon MITRE

Status: PUBLISHED

Assigner: php

Published: 2024-10-08T03:56:31.849Z

Updated: 2024-10-08T13:52:19.615Z

Reserved: 2024-09-17T04:09:57.362Z

Link: CVE-2024-8927

cve-icon Vulnrichment

Updated: 2024-10-08T12:56:03.439Z

cve-icon NVD

Status : Analyzed

Published: 2024-10-08T04:15:10.867

Modified: 2024-10-16T18:28:34.573

Link: CVE-2024-8927

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-10-07T00:00:00Z

Links: CVE-2024-8927 - Bugzilla