CVE-2024-2408

Exploit

EPSS 0.19%
Published 09.06.2024 20:15:09
Last modified 21.03.2025 18:15:32
Source security@php.net
Teams watchlist Login
Open Login

The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request:  https://github.com/openssl/openssl/pull/13817  (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable.

PHP Windows builds for the versions 8.1.29, 8.2.20 and 8.3.8 and above include OpenSSL patches that fix the vulnerability.

Affected products Warnungen 0 Metrics 3 CWE 1 References 7

Data is provided by the National Vulnerability Database (NVD)

Php ≫ Php Version >= 8.1.0 < 8.1.29

Php ≫ Php Version >= 8.2.0 < 8.2.20

Php ≫ Php Version >= 8.3.0 < 8.3.8

Fedoraproject ≫ Fedora Version40

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.19%	0.409

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-203 Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/

Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/

https://github.com/php/php-src/security/advisories/GHSA-hh26-4ppw-5864

Third Party Advisory

Exploit

https://security.netapp.com/advisory/ntap-20250321-0008/

https://nvd.nist.gov/vuln/detail/CVE-2024-2408

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-2408

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-2408

EUVD