CVE-2024-9026

CVSS V2 None CVSS V3 None

Description

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.

Overview

CVE ID
CVE-2024-9026

Assigner
php

Vulnerability Status
PUBLISHED

Published Version
2024-10-08T04:07:33.452Z

Last Modified Date
2024-10-08T04:07:33.452Z

Weakness Enumerations

CWE	URL
CWE-158	http://cwe.mitre.org/data/definitions/158.html
CWE-117	http://cwe.mitre.org/data/definitions/117.html

References

Reference URL	Reference Tags
https://github.com/php/php-src/security/advisories/GHSA-865w-9rf3-2wh5

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-9026
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9026

History

Created	Old Value	New Value	Data Type	Notes
2024-10-08 13:38:15				Added to TrackCVE