Описание
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.
A flaw was found in PHP-FPM, the FastCGI Process Manager. This vulnerability can allow an attacker to manipulate or remove up to 4 characters from log messages via crafted log content, potentially polluting or altering the final log. If PHP-FPM is configured to use syslog output, further log data manipulation is possible via the same vector.
Отчет
This vulnerability only affects configurations with the catch_workers_output directive enabled or set to yes in the configuration file. This option is disabled by default.
Additionally, if the error_log directive is set to syslog, the logs are being sent to syslogd instead of a regular file, allowing further log data manipulation.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 7 | php | Out of support scope | ||
| Red Hat Enterprise Linux 8 | php:8.0/php | Fix deferred | ||
| Red Hat Enterprise Linux 8 | php | Fixed | RHSA-2024:10951 | 11.12.2024 |
| Red Hat Enterprise Linux 8 | php | Fixed | RHSA-2024:10952 | 11.12.2024 |
| Red Hat Enterprise Linux 9 | php | Fixed | RHSA-2024:10949 | 11.12.2024 |
| Red Hat Enterprise Linux 9 | php | Fixed | RHSA-2024:10950 | 11.12.2024 |
| Red Hat Enterprise Linux 9 | php | Fixed | RHSA-2025:7315 | 13.05.2025 |
Показывать по
Дополнительная информация
Статус:
EPSS
3.3 Low
CVSS3
Связанные уязвимости
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before ...
EPSS
3.3 Low
CVSS3