Описание
In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation that the hostname supplied does not contain null characters. This may lead to other functions like parse_url() treat the hostname in different way, thus opening way to security problems if the user code implements access checks before access using such functions.
A flaw was found in PHP. The fsockopen() function and related functions fail to validate NULL characters within the provided hostname, potentially leading to unexpected behavior during parsing. This flaw allows a network attacker to supply a specially crafted hostname. This issue can result in a denial of service due to parsing errors.
Отчет
PHP does not classify this issue as a security issue because users are expected to sanitize the input. Nevertheless, this was considered a low-impact security issue as a precaution for users who do not follow that practice.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | php | Fix deferred | ||
| Red Hat Enterprise Linux 6 | php | Fix deferred | ||
| Red Hat Enterprise Linux 7 | php | Fix deferred | ||
| Red Hat Enterprise Linux 8 | php:7.4/php | Fix deferred | ||
| Red Hat Enterprise Linux 8 | php:8.2/php | Fix deferred | ||
| Red Hat Enterprise Linux 9 | php | Fix deferred | ||
| Red Hat Enterprise Linux 9 | php:8.2/php | Fix deferred | ||
| Red Hat Enterprise Linux 9 | php:8.3/php | Fix deferred |
Показывать по
Дополнительная информация
Статус:
EPSS
3.7 Low
CVSS3
Связанные уязвимости
In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation that the hostname supplied does not contain null characters. This may lead to other functions like parse_url() treat the hostname in different way, thus opening way to security problems if the user code implements access checks before access using such functions.
In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation that the hostname supplied does not contain null characters. This may lead to other functions like parse_url() treat the hostname in different way, thus opening way to security problems if the user code implements access checks before access using such functions.
In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before ...
EPSS
3.7 Low
CVSS3