CVE-2024-11234
EUVD-2024-3376624.11.2024, 01:15
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| php | php | 8.1.0 ≤ 𝑥 < 8.1.31 |
| php | php | 8.2.0 ≤ 𝑥 < 8.2.26 |
| php | php | 8.3.0 ≤ 𝑥 < 8.3.14 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Ubuntu Product | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| php8.3 |
| ||||||||||||||
| php5 |
| ||||||||||||||
| php7.0 |
| ||||||||||||||
| php7.2 |
| ||||||||||||||
| php7.4 |
| ||||||||||||||
| php8.1 |
|
Common Weakness Enumeration
- CWE-20 - Improper Input ValidationThe product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.