CVE-2024-11234

CWE-20 — Improper Input Validation CWE-7412 documents7 sources

Severity

7.2HIGH

EPSS

1.2%

top 21.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

PHP Group PHP PHP PHP

Timeline

PublishedNov 24

Latest updateMar 4

Description

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 2.2 | Impact: 2.5

Affected Packages4 packages

▶NVDphp/php8.1.0 — 8.1.31+2

▶CVEListV5php_group/php8.1.* — 8.1.31+2

▶Debianphp7.4< 7.4.33-1+deb11u7

▶Debianphp8.2< 8.2.26-1~deb12u1

🔴Vulnerability Details

OSV

qemu vulnerabilities↗2026-03-04

▶

OSV

php7.0 vulnerabilities↗2025-01-29

▶

OSV

php7.4, php8.1, php8.3 vulnerabilities↗2024-12-13

▶

OSV

php7.4 regression↗2024-12-13

▶

OSV

CVE-2024-11234: In PHP versions 8↗2024-11-24

▶

📋Vendor Advisories

Ubuntu

PHP vulnerabilities↗2025-01-29

▶

Ubuntu

PHP vulnerabilities↗2024-12-13

▶

Red Hat

php: Configuring a proxy in a stream context might allow for CRLF injection in URIs↗2024-11-24

▶

Microsoft

Configuring a proxy in a stream context might allow for CRLF injection in URIs↗2024-11-12

▶

Debian

CVE-2024-11234: php7.4 - In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, w...↗2024

▶