Описание
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations.
A flaw was found in PHP's DOM and SimpleXML extensions. This vulnerability allows incorrect parsing of a redirected HTTP resource via improper content-type header handling.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | php | Out of support scope | ||
| Red Hat Enterprise Linux 7 | php | Out of support scope | ||
| Red Hat Enterprise Linux 8 | php:7.4/php | Affected | ||
| Red Hat Enterprise Linux 8 | php:8.2/php | Affected | ||
| Red Hat Enterprise Linux 10 | php | Fixed | RHSA-2025:7489 | 13.05.2025 |
| Red Hat Enterprise Linux 9 | php | Fixed | RHSA-2025:4263 | 28.04.2025 |
| Red Hat Enterprise Linux 9 | php | Fixed | RHSA-2025:7418 | 13.05.2025 |
| Red Hat Enterprise Linux 9 | php | Fixed | RHSA-2025:7431 | 13.05.2025 |
| Red Hat Enterprise Linux 9 | php | Fixed | RHSA-2025:7432 | 13.05.2025 |
Показывать по
Дополнительная информация
Статус:
EPSS
3.7 Low
CVSS3
Связанные уязвимости
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations.
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations.
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* ...
libxml streams use wrong `content-type` header when requesting a redirected resource
EPSS
3.7 Low
CVSS3