CVE-2024-8927

Exploit

EPSS 0.33%
Veröffentlicht 08.10.2024 04:15:10
Zuletzt bearbeitet 03.11.2025 23:17:33
Quelle security@php.net
CVE-Watchlists
Login
Unerledigt
Login

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead to cgi.force_redirect option not being correctly applied. In certain configurations this may lead to arbitrary file inclusion in PHP.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Php ≫ Php Version >= 8.1.0 < 8.1.30

Php ≫ Php Version >= 8.2.0 < 8.2.24

Php ≫ Php Version >= 8.3.0 < 8.3.12

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.33%	0.554

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
security@php.net	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-1220 Insufficient Granularity of Access Control

The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.

https://github.com/php/php-src/security/advisories/GHSA-94p6-54jq-9mwp

Vendor Advisory

Exploit

https://lists.debian.org/debian-lts-announce/2024/10/msg00011.html

https://security.netapp.com/advisory/ntap-20241101-0003/

https://nvd.nist.gov/vuln/detail/CVE-2024-8927

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-8927

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-8927

EUVD