CVE-2024-8927

Public on 2024-09-27

Modified on 2024-10-09

Description

cgi.force_redirect configuration is byppassible due to the environment variable collision

NOTE: Fixed in 8.3.12, 8.2.24
NOTE: https://github.com/php/php-src/security/advisories/GHSA-94p6-54jq-9mwp
NOTE: https://github.com/php/php-src/commit/48808d98f4fc2a05193cdcc1aedd6c66816450f1 (PHP-8.2.24)

Severity

Medium

See what this means

CVSS v3 Base Score

6.5

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory
Amazon Linux 2 - Php8.1 Extra	php	2025-02-12 23:07	ALAS2PHP8.1-2025-006
Amazon Linux 2 - Php8.2 Extra	php	2025-02-12 23:07	ALAS2PHP8.2-2025-006
Amazon Linux 2023	php8.1	2025-02-12 22:57	ALAS2023-2025-845
Amazon Linux 2023	php8.2	2025-02-26 23:14	ALAS2023-2025-872
Amazon Linux 2023	php8.3	2025-02-26 23:14	ALAS2023-2025-873

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
NVD	CVSSv3	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Red Hat: CVE-2024-8927 Mitre: CVE-2024-8927 FAQs regarding Amazon Linux ALAS/CVE Severity

Select your cookie preferences

Customize cookie preferences

Essential

Performance

Functional

Advertising

CVE-2024-8927

Affected Packages

CVSS Scores

References