CVE-2024-2757

In PHP 8.3.* before 8.3.5, functionmb_encode_mimeheader() runs endlessly for some inputs that contain long strings of non-space characters followed by a space. This could lead to a potential DoS attack if a hostile user sends data to an application that uses this function.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
phpCNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 69%
VendorProductVersion
phpphp
8.3.0 ≤
𝑥
< 8.3.5
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
php7.4
bullseye
7.4.33-1+deb11u5
fixed
bullseye (security)
7.4.33-1+deb11u9
fixed
php8.2
bookworm
8.2.29-1~deb12u1
fixed
bookworm (security)
8.2.29-1~deb12u1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
php5
noble
dne
mantic
dne
jammy
dne
focal
dne
trusty
not-affected
php7.0
noble
dne
mantic
dne
jammy
dne
focal
dne
xenial
not-affected
php7.2
noble
dne
mantic
dne
jammy
dne
focal
dne
bionic
not-affected
php7.4
noble
dne
mantic
dne
jammy
dne
focal
not-affected
php8.1
noble
dne
mantic
dne
jammy
not-affected
focal
dne
php8.2
noble
dne
mantic
not-affected
jammy
dne
focal
dne
bionic
dne
xenial
dne
trusty
dne
php8.3
noble
Fixed 8.3.6-0maysync1
released
mantic
dne
jammy
dne
focal
dne
bionic
dne
xenial
dne
trusty
dne
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2024/04/12/11
https://github.com/php/php-src/security/advisories/GHSA-fjp9-9hwx-59fq
https://security.netapp.com/advisory/ntap-20240510-0011/
http://www.openwall.com/lists/oss-security/2024/04/12/11
https://github.com/php/php-src/security/advisories/GHSA-fjp9-9hwx-59fq
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KJZK3X6B7FBE32FETDSMRLJXTFTHKWSY/
https://security.netapp.com/advisory/ntap-20240510-0011/