216.73.217.64

CVE-2024-9026

· Published 08/10/2024 04:15 · Modified 16/10/2024 18:30

Labels: CVE-2024-9026 2024-10-08CVE-2024-9026CWE-117NVD-CWE-Other[email protected]

Essential information

Published
08/10/2024 04:15
Modified
16/10/2024 18:30
Author
Creator
CVSS
3.3 LOW (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CVSS metrics

Description

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.

NVD status

Status
Analyzed — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
php-fpm / php-fpm cpe:2.3:a:php-fpm:php-fpm:*:*:*:*:*:*:*:*
php-fpm / php-fpm cpe:2.3:a:php-fpm:php-fpm:*:*:*:*:*:*:*:*
php-fpm / php-fpm cpe:2.3:a:php-fpm:php-fpm:*:*:*:*:*:*:*:*

References