PHP releases versions 8.1.30, 8.3.12 and 8.2.24, fixes multiple flaws
Take action: This is a fresh release, so hackers haven't had time to investigate these flaws. Even the CVE advisories are still very vague. If you are running PHP, read up on the flaws and prepare for a possible patch. Last thing you want is to be caught in a full exploitation wave and having to update at the last minute.
Learn More
The PHP developers have addressed multiple vulnerabilities with the release of PHP versions 8.1.30, 8.3.12 and 8.2.24, some of which are critical.
The vulnerabilities include:
- CVE-2024-8926 (CVSS score 9.1) - OS Command Injection, allows a remote attacker to send specially crafted HTTP requests to the application, leading to arbitrary OS command execution due to improper input validation in PHP-CGI implementations.
- CVE-2024-8927 (CVSS score 9.1) - A security features bypass vulnerability that allows attackers to bypass certain security restrictions, exploiting an environment variable collision that can lead to the cgi.force_redirect bypass.
- CVE-2024-9026 (CVSS score 9.1) - An insufficient logging vulnerability that allows attackers to alter logs from child processes due to unspecified errors.
- CVE-2024-8925 (CVSS score 9.1) - An input validation error, where attackers can bypass security restrictions by providing specially crafted input when parsing multipart form data.
These vulnerabilities affect the following versions of PHP:
- PHP 8.1 versions prior to 8.1.30
- PHP 8.2 versions prior to 8.2.24
- PHP 8.3 versions prior to 8.3.12
PHP administrators are strongly advised to update their systems to the fixed versions as soon as possible. While there are no reports of active exploitation in the wild, previous vulnerabilities (like CVE-2024-4577) have been exploited.
