CVE-2024-8926
published 2024-10-08CVE-2024-8926: In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes…
high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3 may still be bypassed and the same command injection related to Windows "Best Fit" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | php7.4 | < php8.2 8.2.24-1~deb12u1 (bookworm) | php8.2 8.2.24-1~deb12u1 (bookworm) |
| debian | php8.2 | < php8.2 8.2.24-1~deb12u1 (bookworm) | php8.2 8.2.24-1~deb12u1 (bookworm) |
| msrc | azl3_php_8.3.8-1_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_php_8.1.29-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| php | php | >= 8.1.0 < 8.1.30 | 8.1.30 |
| php | php | >= 8.2.0 < 8.2.24 | 8.2.24 |
| php | php | >= 8.3.0 < 8.3.12 | 8.3.12 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL