CVE-2024-9026

Oct. 16, 2024, 6:30 p.m.

CVSS Score

3.3 / 10

Products Impacted

Vendor Product Versions
php-fpm
  • php-fpm
  • *

Description

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.

Weaknesses

CWE-117
Improper Output Neutralization for Logs

The product does not neutralize or incorrectly neutralizes output that is written to logs.

CWE ID: 117

Date

Published: Oct. 8, 2024, 4:15 a.m.

Last Modified: Oct. 16, 2024, 6:30 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@php.net

CPEs

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a php-fpm php-fpm / / / / / / / /
a php-fpm php-fpm / / / / / / / /
a php-fpm php-fpm / / / / / / / /

CVSS Data

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

Base Score
3.3
Exploitability Score
1.8
Impact Score
1.4
Base Severity
LOW
CVSS Vector String

The CVSS vector string provides an in-depth view of the vulnerability metrics.

View Vector String

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References