CVE-2024-4577

June 9, 2024, 8:15 p.m.

9.8
Critical

Description

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

Product(s) Impacted

Product Versions
PHP
  • 8.1.* before 8.1.29
  • 8.2.* before 8.2.20
  • 8.3.* before 8.3.8

Weaknesses

References

https://github.com/php/php-src/security/advisories/GHSA-3qgc-jrrr-25jv

Tags

CWE-78
2024-06-09
security@php.net
CVE-2024-4577

CVSS Score

9.8 / 10

CVSS Data

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH
    • View Vector String

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Date

  • Published: June 9, 2024, 8:15 p.m.
  • Last Modified: June 9, 2024, 8:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@php.net

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.