CVE-2024-8925

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could lead to legitimate data not being processed. This could lead to malicious attacker able to control part of the submitted data being able to exclude portion of other data, potentially leading to erroneous application behavior.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/php/php-src/security/advisories/GHSA-9pqp-7h25-4f32	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:php-fpm:php-fpm::::::::
	cpe:2.3:a:php-fpm:php-fpm::::::::
	cpe:2.3:a:php-fpm:php-fpm::::::::

History

16 Oct 2024, 18:53

Type	Values Removed	Values Added
First Time		Php-fpm php-fpm Php-fpm
CPE		cpe:2.3:a:php-fpm:php-fpm::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~3.1~~	v2 : unknown v3 : 5.3
References	~~() https://github.com/php/php-src/security/advisories/GHSA-9pqp-7h25-4f32 -~~	() https://github.com/php/php-src/security/advisories/GHSA-9pqp-7h25-4f32 - Exploit, Third Party Advisory
CWE		NVD-CWE-noinfo

10 Oct 2024, 12:57

Type	Values Removed	Values Added
Summary		(es) En las versiones de PHP 8.1.* anteriores a 8.1.30, 8.2.* anteriores a 8.2.24, 8.3.* anteriores a 8.3.12, el análisis erróneo de los datos de un formulario de varias partes incluidos en una solicitud HTTP POST podría provocar que no se procesen los datos legítimos. Esto podría provocar que un atacante malintencionado capaz de controlar parte de los datos enviados pudiera excluir parte de otros datos, lo que podría provocar un comportamiento erróneo de la aplicación.

08 Oct 2024, 04:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-08 04:15

Updated : 2024-10-16 18:53

NVD link : CVE-2024-8925

Mitre link : CVE-2024-8925

CVE.ORG link : CVE-2024-8925

JSON object : View

Products Affected

php-fpm

php-fpm

CWE

NVD-CWE-noinfo

{"id": "CVE-2024-8925", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security@php.net", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.6}]}, "published": "2024-10-08T04:15:09.450", "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-9pqp-7h25-4f32", "tags": ["Exploit", "Third Party Advisory"], "source": "security@php.net"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In PHP versions\u00a08.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could lead to legitimate data not being processed. This could lead to malicious attacker able to control part of the submitted data being able to exclude portion of other data, potentially leading to erroneous application behavior."}, {"lang": "es", "value": "En las versiones de PHP 8.1.* anteriores a 8.1.30, 8.2.* anteriores a 8.2.24, 8.3.* anteriores a 8.3.12, el an\u00e1lisis err\u00f3neo de los datos de un formulario de varias partes incluidos en una solicitud HTTP POST podr\u00eda provocar que no se procesen los datos leg\u00edtimos. Esto podr\u00eda provocar que un atacante malintencionado capaz de controlar parte de los datos enviados pudiera excluir parte de otros datos, lo que podr\u00eda provocar un comportamiento err\u00f3neo de la aplicaci\u00f3n."}], "lastModified": "2024-10-16T18:53:39.957", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:php-fpm:php-fpm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3AB97B3F-78E0-412D-A29A-2086C84EC2A2", "versionEndExcluding": "8.1.30", "versionStartIncluding": "8.1.0"}, {"criteria": "cpe:2.3:a:php-fpm:php-fpm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "30CA7A9A-B2B8-4A3E-981B-E94536DAFD89", "versionEndExcluding": "8.2.24", "versionStartIncluding": "8.2.0"}, {"criteria": "cpe:2.3:a:php-fpm:php-fpm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8F7936E2-4290-48A4-A857-929E9CEDBDF5", "versionEndExcluding": "8.3.12", "versionStartIncluding": "8.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@php.net"}