Vulnerability Description
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead to cgi.force_redirect option not being correctly applied. In certain configurations this may lead to arbitrary file inclusion in PHP.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Php | Php | >= 8.1.0, < 8.1.30 |
Related Weaknesses (CWE)
References
- https://github.com/php/php-src/security/advisories/GHSA-94p6-54jq-9mwpExploitVendor Advisory
- https://lists.debian.org/debian-lts-announce/2024/10/msg00011.html
- https://security.netapp.com/advisory/ntap-20241101-0003/
FAQ
What is CVE-2024-8927?
CVE-2024-8927 is a vulnerability with a CVSS score of 7.5 (HIGH). In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in cer...
How severe is CVE-2024-8927?
CVE-2024-8927 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-8927?
Check the references section above for vendor advisories and patch information. Affected products include: Php Php.