Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2024-4577

Опубликовано: 09 июн. 2024
Источник: nvd
CVSS3: 9.8
EPSS Критический

Описание

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одновременно

Одно из

cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
Версия от 8.1.0 (включая) до 8.1.29 (исключая)
cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
Версия от 8.2.0 (включая) до 8.2.20 (исключая)
cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
Версия от 8.3.0 (включая) до 8.3.8 (исключая)
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Конфигурация 2

Одно из

cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*

EPSS

Процентиль: 100%
0.94374
Критический

9.8 Critical

CVSS3

Дефекты

CWE-78
CWE-78

Связанные уязвимости

ubuntu логотип

CVE-2024-4577

CVSS3: 9.8
ubuntu
больше 1 года назад

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

redhat логотип

CVE-2024-4577

CVSS3: 9.8
redhat
больше 1 года назад

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

msrc логотип

CVE-2024-4577

CVSS3: 9.8
msrc
больше 1 года назад

Argument Injection in PHP-CGI

debian логотип

CVE-2024-4577

CVSS3: 9.8
debian
больше 1 года назад

In PHP versions8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before ...

github логотип

GHSA-vxpp-6299-mxw3

CVSS3: 9.8
github
больше 1 года назад

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

EPSS

Процентиль: 100%
0.94374
Критический

9.8 Critical

CVSS3

Дефекты

CWE-78
CWE-78