- 172/2024
- Critical
PHP has released security updates to fix several vulnerabilities across multiple PHP versions (8.1, 8.2, 8.3).
The addressed vulnerabilities could allow the attacker to bypass security restrictions, execute arbitrary code, and gain access to the affected product by sending a specially crafted request.
Sample of the addressed vulnerabilities:
1. PHP Code Execution Vulnerability (CVE-2024-4577):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
2. PHP Security Bypass Vulnerability (CVE-2024-5458):
- CVSS: 7.5
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Bypass Security
It should be highlighted that security researchers disclose the critical severity vulnerability “CVE-2024-4577” affecting PHP installations where PHP is used in CGI mode and provide proof-of-concept (PoC) exploit code, which could lead to remote code execution.
Vulnerabilities
- CVE-2024-4577
- CVE-2024-5585
- CVE-2024-5458
- CVE-2012-1823
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed and should check with its vendors for updates if any.