CVE-2024-8929

CWE-125 — Out-of-bounds Read CWE-200 — Information Exposure8 documents7 sources

Severity

5.8MEDIUM

EPSS

0.7%

top 28.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

PHP Group PHP PHP PHP

Timeline

PublishedNov 22

Latest updateJan 29

Description

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, a hostile MySQL server can cause the client to disclose the content of its heap containing data from other SQL requests and possible other data belonging to different users of the same server.

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 1.3 | Impact: 4.0

Affected Packages4 packages

▶NVDphp/php8.1.0 — 8.1.31+2

▶CVEListV5php_group/php8.1.* — 8.1.31+2

▶Debianphp7.4< 7.4.33-1+deb11u7

▶Debianphp8.2< 8.2.26-1~deb12u1

🔴Vulnerability Details

OSV

CVE-2024-8929: In PHP versions 8↗2024-11-22

▶

CVEList

Leak partial content of the heap through heap buffer over-read in mysqlnd↗2024-11-22

▶

📋Vendor Advisories

Ubuntu

PHP vulnerabilities↗2025-01-29

▶

Ubuntu

PHP vulnerabilities↗2024-12-13

▶

Red Hat

php: Leak partial content of the heap through heap buffer over-read in mysqlnd↗2024-11-22

▶

Microsoft

Leak partial content of the heap through heap buffer over-read in mysqlnd↗2024-11-12

▶

Debian

CVE-2024-8929: php7.4 - In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, a...↗2024

▶