Fluid Attacks Database

Description

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead to cgi.force_redirect option not being correctly applied. In certain configurations this may lead to arbitrary file inclusion in PHP.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	php7.4	=7.4.21-1+deb11u1 \|\| =7.4.25-1+deb11u1 \|\| =7.4.26-1 \|\| =7.4.28-1+deb11u1 \|\| =7.4.30-1+deb11u1 \|\| =7.4.33-1+deb11u1 \|\| =7.4.33-1+deb11u3 \|\| =7.4.33-1+deb11u4 \|\| =7.4.33-1+deb11u5 \|\| >=0 <7.4.33-1+deb11u6	7.4.33-1+deb11u6
debian 12	php8.2	=8.2.10-1 \|\| =8.2.10-2 \|\| =8.2.12-1 \|\| =8.2.16-1 \|\| =8.2.16-2 \|\| =8.2.17-1 \|\| =8.2.18-1 \|\| =8.2.18-1~deb12u1 \|\| =8.2.20-1~deb12u1 \|\| =8.2.20-2 \|\| =8.2.20-3 \|\| =8.2.21-1 \|\| =8.2.23-1 \|\| =8.2.5-2 \|\| =8.2.7-1 \|\| =8.2.7-1.1 \|\| =8.2.7-1.2 \|\| =8.2.7-1~deb12u1 \|\| >=0 <8.2.24-1~deb12u1	8.2.24-1~deb12u1
rpm rhel8	php	<0:7.4.33-2.module+el8.10.0+22485+a3539972	0:7.4.33-2.module+el8.10.0+22485+a3539972
rpm rhel7	php	-	-
rpm rhel9	php	<0:8.0.30-2.el9	0:8.0.30-2.el9

Aliases

1. CVE-2024-89272. NVD-2024-89273. OSV-DEBIAN-2024-89274. OSV-2024-89275. SECURITY-TRACKER-CVE-2024-8927

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.