CVE-2024-8927
Last modified
CVE-2024-8927 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead to cgi.force_redirect option not being correctly applied. EPSS estimates a 1.08% chance of exploitation in the next 30 days.
Description
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead to cgi.force_redirect option not being correctly applied. In certain configurations this may lead to arbitrary file inclusion in PHP.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Php | Php | >= 8.1.0, < 8.1.30 |
| Php | Php | >= 8.2.0, < 8.2.24 |
| Php | Php | >= 8.3.0, < 8.3.12 |
References
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2024-8927?
How severe is CVE-2024-8927?
How do I fix CVE-2024-8927?
Are you affected by CVE-2024-8927?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST