Lucene search

K
freebsdFreeBSD6D82C5E9-FC24-11EE-A689-04421A1BAF97
HistoryApr 11, 2024 - 12:00 a.m.

php -- Multiple vulnerabilities

2024-04-1100:00:00
vuxml.freebsd.org
31
php
update
multiple vulnerabilities
command injection
proc_open
bypass_shell
windows
cookie bypass
cve-2024-1874
cve-2024-2756
cve-2024-2757
security fix
windows
unix

CVSS3

9.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

AI Score

7.5

Confidence

Low

EPSS

0.006

Percentile

79.3%

This update includes 3 security fixes:

High CVE-2024-1874: Command injection via array-ish $command parameter of proc_open even if bypass_shell option enabled on Windows
High CVE-2024-1874: Command injection via array-ish $command parameter of proc_open even if bypass_shell option enabled on Windows
Medium CVE-2024-2756: __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix
High CVE-2024-2757: mb_encode_mimeheader runs endlessly for some inputs

OSVersionArchitecturePackageVersionFilename
FreeBSDanynoarchphp81< 8.1.28UNKNOWN
FreeBSDanynoarchphp82< 8.2.18UNKNOWN
FreeBSDanynoarchphp83< 8.3.6UNKNOWN

CVSS3

9.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

AI Score

7.5

Confidence

Low

EPSS

0.006

Percentile

79.3%