CVE-2024-8927

moderate-risk

Published 2024-10-08

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead to cgi.force_redirect option not being correctly applied. In certain configurations this may lead to arbitrary file inclusion in PHP.

Do I need to act?

0.45% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (1)

Php

Affected Vendors

Php

References (3)

Exploit https://github.com/php/php-src/security/advisories/GHSA-94p6-54jq-9mwp

https://lists.debian.org/debian-lts-announce/2024/10/msg00011.html

https://security.netapp.com/advisory/ntap-20241101-0003/

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 2/34 · Minimal

Exposure 5/34 · Minimal