Описание
In PHP 8.3.* before 8.3.5, function mb_encode_mimeheader() runs endlessly for some inputs that contain long strings of non-space characters followed by a space. This could lead to a potential DoS attack if a hostile user sends data to an application that uses this function.
An infinite loop vulnerability was found in PHP. Certain inputs provided to mb_encode_mimeheader trigger an endless loop.
Отчет
Red Hat Enterprise Linux remains unaffected by this vulnerability since it does not include the vulnerable codebase or version. This CVE only affects PHP 8.3 that we did not ship. The vulnerability in mb_encode_mimeheader presents a moderate severity issue due to its potential for causing service disruption and resource exhaustion. While the vulnerability primarily manifests as an infinite loop with specific input strings, it requires the function to be invoked with the problematic input. This limits its immediate impact to systems where the function is explicitly called with unfiltered or untrusted inputs. Moreover, its exploitation primarily leads to a Denial-of-Service (DoS) condition rather than arbitrary code execution or data compromise. However, given the function's integral role in email processing and its use in frameworks like CakePHP 5, the risk of disruption to email services and associated processing routines is non-trivial.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | php | Not affected | ||
| Red Hat Enterprise Linux 7 | php | Not affected | ||
| Red Hat Enterprise Linux 8 | php:7.4/php | Not affected | ||
| Red Hat Enterprise Linux 8 | php:8.0/php | Not affected | ||
| Red Hat Enterprise Linux 8 | php:8.2/php | Not affected | ||
| Red Hat Enterprise Linux 9 | php | Not affected | ||
| Red Hat Enterprise Linux 9 | php:8.1/php | Not affected | ||
| Red Hat Enterprise Linux 9 | php:8.2/php | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
In PHP 8.3.* before 8.3.5, function mb_encode_mimeheader() runs endlessly for some inputs that contain long strings of non-space characters followed by a space. This could lead to a potential DoS attack if a hostile user sends data to an application that uses this function.
In PHP 8.3.* before 8.3.5, function mb_encode_mimeheader() runs endlessly for some inputs that contain long strings of non-space characters followed by a space. This could lead to a potential DoS attack if a hostile user sends data to an application that uses this function.
In PHP 8.3.* before 8.3.5, functionmb_encode_mimeheader() runs endless ...
mb_encode_mimeheader runs endlessly for some inputs
EPSS
7.5 High
CVSS3