Описание
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.
| Релиз | Статус | Примечание |
|---|---|---|
| devel | DNE | |
| esm-infra-legacy/trusty | not-affected | code not present |
| esm-infra/focal | DNE | |
| focal | DNE | |
| jammy | DNE | |
| noble | DNE | |
| trusty/esm | not-affected | code not present |
| upstream | needs-triage |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| devel | DNE | |
| esm-infra/focal | DNE | |
| esm-infra/xenial | not-affected | code not present |
| focal | DNE | |
| jammy | DNE | |
| noble | DNE | |
| upstream | needs-triage |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| devel | DNE | |
| esm-infra/bionic | not-affected | code not present |
| esm-infra/focal | DNE | |
| focal | DNE | |
| jammy | DNE | |
| noble | DNE | |
| upstream | needs-triage |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| devel | DNE | |
| esm-infra/focal | not-affected | code not present |
| focal | not-affected | code not present |
| jammy | DNE | |
| noble | DNE | |
| upstream | needs-triage |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| devel | DNE | |
| esm-infra/focal | DNE | |
| focal | DNE | |
| jammy | released | 8.1.2-1ubuntu2.19 |
| noble | DNE | |
| upstream | released | 8.1.30 |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| devel | released | 8.3.11-0ubuntu0.24.10.2 |
| esm-infra/focal | DNE | |
| focal | DNE | |
| jammy | DNE | |
| noble | released | 8.3.6-0ubuntu0.24.04.2 |
| upstream | released | 8.3.12 |
Показывать по
EPSS
3.3 Low
CVSS3
Связанные уязвимости
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before ...
EPSS
3.3 Low
CVSS3