Vulnerabilities > CVE-2024-8927 - Unspecified vulnerability in PHP-Fpm

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

php-fpm

NVD

Published: 2024-10-08

Updated: 2024-10-16

Summary

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead to cgi.force_redirect option not being correctly applied. In certain configurations this may lead to arbitrary file inclusion in PHP.

Vulnerable Configurations

Part	Description	Count
Application	Php-Fpm PHP FPM PHP FPM *	1

References

https://github.com/php/php-src/security/advisories/GHSA-94p6-54jq-9mwp