BIT-php-2024-11234

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/php/BIT-php-2024-11234.json

JSON Data

https://api.test.osv.dev/v1/vulns/BIT-php-2024-11234

Aliases

CVE-2024-11234

Published

2024-11-27T19:20:11.489Z

Modified

2024-11-28T09:12:23.528520Z

Summary

[none]

Details

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user.

Database specific

{
    "cpes": [
        "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*"
    ],
    "severity": "Medium"
}

References

https://github.com/php/php-src/security/advisories/GHSA-c5f2-jwm7-mmq2

Affected packages

Bitnami / php

Package

Name: php
Purl: pkg:bitnami/php

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

8.1.0

Fixed

8.1.31

Introduced

8.2.0

Fixed

8.2.26

Introduced

8.3.0

Fixed

8.3.14