CVE-2024-8927

Exploit

EPSS 0.12%
Published 08.10.2024 04:15:10
Last modified 19.08.2025 16:26:31
Source security@php.net
Teams watchlist Login
Open Login

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead to cgi.force_redirect option not being correctly applied. In certain configurations this may lead to arbitrary file inclusion in PHP.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Php ≫ Php Version >= 8.1.0 < 8.1.30

Php ≫ Php Version >= 8.2.0 < 8.2.24

Php ≫ Php Version >= 8.3.0 < 8.3.12

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.12%	0.321

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
security@php.net	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-1220 Insufficient Granularity of Access Control

The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.

https://github.com/php/php-src/security/advisories/GHSA-94p6-54jq-9mwp

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-8927

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-8927

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-8927

EUVD