CVE-2024-9026 — Improper Output Neutralization for Logs in Group PHP

CWE-117 — Improper Output Neutralization for Logs CWE-158 — Improper Neutralization of Null Byte or NUL Character8 documents7 sources

Severity

3.3LOWNVD

EPSS

0.9%

top 24.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

PHP Group PHP PHP

Timeline

PublishedOct 8

Description

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages2 packages

▶NVDphp/php8.1.0 — 8.1.30+2

▶CVEListV5php_group/php8.1.* — 8.1.30+2

🔴Vulnerability Details

OSV

CVE-2024-9026: In PHP versions 8↗2024-10-08

▶

CVEList

PHP-FPM logs from children may be altered↗2024-10-08

▶

OSV

php7.4, php8.1, php8.3 vulnerabilities↗2024-10-01

▶

📋Vendor Advisories

Microsoft

PHP-FPM logs from children may be altered↗2024-10-08

▶

Red Hat

php: PHP-FPM Log Manipulation Vulnerability↗2024-10-08

▶

Ubuntu

PHP vulnerabilities↗2024-10-01

▶

Debian

CVE-2024-9026: php7.4 - In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, w...↗2024

▶