CVE-2024-2408

EUVD-2024-27360
The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request:  https://github.com/openssl/openssl/pull/13817  (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable.

PHP Windows builds for the versions 8.1.29, 8.2.20 and 8.3.8 and above include OpenSSL patches that fix the vulnerability.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 63%
Affected Products (NVD)
VendorProductVersion
phpphp
8.1.0 ≤
𝑥
< 8.1.29
phpphp
8.2.0 ≤
𝑥
< 8.2.20
phpphp
8.3.0 ≤
𝑥
< 8.3.8
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
phpphp
8.1.0 ≤
𝑥
< 8.1.29
ADP
phpphp
8.2.0 ≤
𝑥
< 8.2.20
ADP
phpphp
8.3.0 ≤
𝑥
< 8.3.8
ADP
Debian logo
Debian Releases
Debian Product
Codename
php7.4
bookworm
ignored
bullseye
postponed
bullseye (security)
vulnerable
buster
postponed
php8.2
bookworm
8.2.29-1~deb12u1
fixed
bookworm (security)
8.2.29-1~deb12u1
fixed
bullseye
postponed
buster
postponed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
php7.0
focal
dne
jammy
dne
mantic
dne
noble
dne
oracular
dne
plucky
dne
questing
dne
xenial
not-affected
php5
focal
dne
jammy
dne
mantic
dne
noble
dne
oracular
dne
plucky
dne
questing
dne
trusty
needs-triage
php7.2
bionic
not-affected
focal
dne
jammy
dne
mantic
dne
noble
dne
oracular
dne
plucky
dne
questing
dne
php7.4
focal
not-affected
jammy
dne
mantic
dne
noble
dne
oracular
dne
plucky
dne
questing
dne
php8.1
focal
dne
jammy
not-affected
mantic
dne
noble
dne
oracular
dne
plucky
dne
questing
dne
php8.2
focal
dne
jammy
dne
mantic
not-affected
noble
dne
oracular
dne
plucky
dne
questing
dne
php8.3
focal
dne
jammy
dne
mantic
dne
noble
not-affected
oracular
not-affected
plucky
dne
questing
dne
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
openssl
RHEL 8
1:1.1.1k-12.el8_9
fixed
openssl-devel
RHEL 8
1:1.1.1k-12.el8_9
fixed
openssl-libs
RHEL 8
1:1.1.1k-12.el8_9
fixed
openssl-perl
RHEL 8
1:1.1.1k-12.el8_9
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
php8.1
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-bcmath
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-bcmath-debuginfo
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-cli
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-cli-debuginfo
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-common
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-common-debuginfo
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-dba
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-dba-debuginfo
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-dbg
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-dbg-debuginfo
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-debuginfo
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-debugsource
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-devel
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-embedded
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-embedded-debuginfo
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-enchant
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-enchant-debuginfo
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-ffi
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-ffi-debuginfo
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-fpm
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-fpm-debuginfo
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-gd
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-gd-debuginfo
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-gmp
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-gmp-debuginfo
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-intl
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-intl-debuginfo
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-ldap
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-ldap-debuginfo
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-mbstring
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-mbstring-debuginfo
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-mysqlnd
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-mysqlnd-debuginfo
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-odbc
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-odbc-debuginfo
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-opcache
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-opcache-debuginfo
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-pdo
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-pdo-debuginfo
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-pgsql
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-pgsql-debuginfo
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-process
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-process-debuginfo
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-pspell
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-pspell-debuginfo
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-snmp
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-snmp-debuginfo
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-soap
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-soap-debuginfo
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-tidy
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-tidy-debuginfo
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-xml
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-xml-debuginfo
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-zip
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.1-zip-debuginfo
Amazon Linux 2023
0:8.1.29-1.amzn2023.0.1
fixed
php8.2
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-bcmath
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-bcmath-debuginfo
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-cli
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-cli-debuginfo
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-common
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-common-debuginfo
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-dba
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-dba-debuginfo
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-dbg
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-dbg-debuginfo
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-debuginfo
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-debugsource
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-devel
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-embedded
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-embedded-debuginfo
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-enchant
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-enchant-debuginfo
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-ffi
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-ffi-debuginfo
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-fpm
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-fpm-debuginfo
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-gd
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-gd-debuginfo
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-gmp
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-gmp-debuginfo
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-intl
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-intl-debuginfo
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-ldap
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-ldap-debuginfo
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-mbstring
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-mbstring-debuginfo
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-mysqlnd
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-mysqlnd-debuginfo
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-odbc
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-odbc-debuginfo
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-opcache
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-opcache-debuginfo
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-pdo
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-pdo-debuginfo
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-pgsql
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-pgsql-debuginfo
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-process
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-process-debuginfo
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-pspell
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-pspell-debuginfo
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-snmp
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-snmp-debuginfo
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-soap
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-soap-debuginfo
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-sodium
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-sodium-debuginfo
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-tidy
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-tidy-debuginfo
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-xml
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-xml-debuginfo
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-zip
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
php8.2-zip-debuginfo
Amazon Linux 2023
0:8.2.21-1.amzn2023.0.1
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
php
Azure Linux 3.0
0:8.3.8-1.azl3
fixed
CBL-Mariner 2.0
0:8.1.29-1.cm2
fixed