Multiple critical vulnerabilities fixed in latest PHP release
Take action: If you are using PHP, these vulnerabilities will depend on your use of the vulnerable functions/methods. So patching may not be urgent, but it's wise to review your code for risks. Patching should be planned nonetheess, because eventually someone will use the vulnerable functions/methods.
Learn More
Multiple vulnerabilities have been identified in PHP and fixed in the latest PHP release, version 8.3.6. The vulnerabilities are tracked as CVE-2024-1874, CVE-2024-2756, CVE-2024-3096, and CVE-2024-2757.
They impact all versions up to 8.3.5, 8.2.18, 8.1.28, and 8.1.11.
Detailed Overview of the Vulnerabilities:
-
Command Injection CVE-2024-1874 (CVSS score 9.8): This vulnerability stems from the $command parameter in the proc_open function, which could allow command execution when batch files are involved, potentially parsing arguments in cmd.exe. It affects multiple programming languages.
-
Cookie Bypass CVE-2024-2756 (CVSS score 9.1): A bypass of the earlier CVE-2022-31629 fix, this issue stems from PHP's handling of cookies, where certain characters in cookie names are replaced with underscores. This could allow attackers to overwrite cookies, potentially leading to sensitive data exposure.
-
Account Takeover CVE-2024-3096 (CVSS score 9.1): This flaw involves accepting a null byte \x00 in the password_hash parameter, tricking the password_verify function to return true, facilitating unauthorized account access.
-
Denial of Service CVE-2024-2757 (CVSS score 9.1): Identified in the mb_encode_mimeheader function, this vulnerability can induce an endless loop with specific inputs, leading to service disruption.
Users of affected PHP versions are urged to update to PHP 8.3.6 to mitigate these risks.
