CVE-2024-4577: In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain…

critical9.8CVSS 3.1

AVNACLPRNUINSUCHIHAH

KEVITWEXPLOIT

CISA Known Exploited Vulnerabilitydue 2024-07-03

Exploited in the wild

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

Affected

24 ranges

Vendor	Product	Version range	Fixed in
debian	php7.4	< php8.2 8.2.24-1~deb12u1 (bookworm)	php8.2 8.2.24-1~deb12u1 (bookworm)
debian	php7.4	—	—
debian	php8.2	< php8.2 8.2.24-1~deb12u1 (bookworm)	php8.2 8.2.24-1~deb12u1 (bookworm)
debian	php8.2	—	—
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
msrc	azl3_php_8.3.6-1_on_azure_linux_3.0	—	—
msrc	azl3_php_8.3.8-1_on_azure_linux_3.0	—	—
msrc	azure_linux_3.0_arm	—	—
msrc	azure_linux_3.0_x64	—	—
msrc	cbl2_php_8.1.28-1_on_cbl_mariner_2.0	—	—
msrc	cbl2_php_8.1.29-1_on_cbl_mariner_2.0	—	—
msrc	cbl_mariner_2.0_arm	—	—
msrc	cbl_mariner_2.0_x64	—	—
paloalto	pan-os	—	—
php	php	>= 8.1.0 < 8.1.30	8.1.30
php	php	>= 8.1.0 < 8.1.29	8.1.29
php	php	>= 8.2.0 < 8.2.24	8.2.24
php	php	>= 8.2.0 < 8.2.20	8.2.20
php	php	>= 8.3.0 < 8.3.12	8.3.12
php	php	>= 8.3.0 < 8.3.8	8.3.8
php_group	php	>= 8.1.* < 8.1.30	8.1.30
php_group	php	>= 8.2.* < 8.2.24	8.2.24
php_group	php	>= 8.3.* < 8.3.12	8.3.12

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

osv9.8CRITICAL

vulncheck10.0CRITICAL

cisa9.8CRITICAL