VDB

DEBIAN-CVE-2024-8927

DEBIAN-CVE-2024-8927 PUBLISHED CVSS 7.5 HIGH

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead to cgi.force_redirect option not being correctly applied. In certain configurations this may lead to arbitrary file inclusion in PHP.

Risk Scores

CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Products

VendorProductVersions
Debian:11php7.40, 7.4.21-1+deb11u1, 7.4.25-1+deb11u1
Debian:12php8.28.2.12-1, 8.2.16-1, 8.2.16-2

Exploit Intelligence

Timeline

  • Oct 8, 2024 CVE Published
  • Apr 28, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›