PHP up to 8.1.29/8.2.23/8.3.11 PHP-FPM SAPI null byte or nul character

Summaryinfo

A vulnerability was found in PHP up to 8.1.29/8.2.23/8.3.11 and classified as problematic. The impacted element is an unknown function of the component PHP-FPM SAPI. The manipulation results in improper neutralization of null byte or nul character. This vulnerability was named CVE-2024-9026. The attack needs to be approached locally. There is no available exploit. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability was found in PHP up to 8.1.29/8.2.23/8.3.11. It has been classified as problematic. Affected is an unknown code of the component PHP-FPM SAPI. The manipulation with an unknown input leads to a improper neutralization of null byte or nul character vulnerability. CWE is classifying the issue as CWE-158. The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component. This is going to have an impact on integrity. CVE summarizes:

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.

The advisory is shared for download at github.com. This vulnerability is traded as CVE-2024-9026 since 09/20/2024. The exploitability is told to be easy. The attack needs to be approached locally. There are neither technical details nor an exploit publicly available.

The vulnerability scanner Nessus provides a plugin with the ID 208984 (Debian dla-3920 : libapache2-mod-php7.4 - security update), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 8.1.30, 8.2.24 or 8.3.12 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at Tenable (208984). VulDB is the best source for vulnerability data and more expert information about this specific topic.

Productinfo

Type

• Programming Language Software

Name

• PHP

Version

• 8.1.0
• 8.1.1
• 8.1.2
• 8.1.3
• 8.1.4
• 8.1.5
• 8.1.6
• 8.1.7
• 8.1.8
• 8.1.9
• 8.1.10
• 8.1.11
• 8.1.12
• 8.1.13
• 8.1.14
• 8.1.15
• 8.1.16
• 8.1.17
• 8.1.18
• 8.1.19
• 8.1.20
• 8.1.21
• 8.1.22
• 8.1.23
• 8.1.24
• 8.1.25
• 8.1.26
• 8.1.27
• 8.1.28
• 8.1.29
• 8.2.0
• 8.2.1
• 8.2.2
• 8.2.3
• 8.2.4
• 8.2.5
• 8.2.6
• 8.2.7
• 8.2.8
• 8.2.9
• 8.2.10
• 8.2.11
• 8.2.12
• 8.2.13
• 8.2.14
• 8.2.15
• 8.2.16
• 8.2.17
• 8.2.18
• 8.2.19
• 8.2.20
• 8.2.21
• 8.2.22
• 8.2.23
• 8.3.0
• 8.3.1
• 8.3.2
• 8.3.3
• 8.3.4
• 8.3.5
• 8.3.6
• 8.3.7
• 8.3.8
• 8.3.9
• 8.3.10
• 8.3.11

License

• open-source

Website

• Product: https://www.php.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Discussion