Sébastien Rolland

#17011of 53,633
15.8Total CVSS
Vulnerabilities · 2
Medium
1
High
1
PT-2024-8896
5.8
2024-11-15
Php · Php · CVE-2024-8929
Name of the Vulnerable Software and Affected Versions: PHP versions 8.1.* before 8.1.31 PHP versions 8.2.* before 8.2.26 PHP versions 8.3.* before 8.3.14 Description: The issue is related to insufficient protection of internal data due to a buffer overflow in memory, which can be exploited by a hostile MySQL server to disclose the content of the client's heap, potentially containing data from other SQL requests and other users of the same server. This can allow a remote attacker to gain unauthorized access to protected information. Recommendations: For PHP versions 8.1.* before 8.1.31, update to version 8.1.31 or later. For PHP versions 8.2.* before 8.2.26, update to version 8.2.26 or later. For PHP versions 8.3.* before 8.3.14, update to version 8.3.14 or later. As a temporary workaround, consider restricting access to the `php mysqlnd rset field read()` function until a patch is available.
PT-2024-6537
10
2019-06-02
Php · Php · CVE-2024-9026
Name of the Vulnerable Software and Affected Versions: PHP versions 8.1.* before 8.1.30 PHP versions 8.2.* before 8.2.24 PHP versions 8.3.* before 8.3.12 Description: The issue is related to errors in security settings of the PHP interpreter. Exploitation of this issue may allow a remote attacker to bypass existing security restrictions and manipulate PHP-FPM logs. When using PHP-FPM SAPI and it is configured to catch workers output, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. If PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same issue. Recommendations: For PHP versions 8.1.* before 8.1.30, update to version 8.1.30 or later. For PHP versions 8.2.* before 8.2.24, update to version 8.2.24 or later. For PHP versions 8.3.* before 8.3.12, update to version 8.3.12 or later. As a temporary workaround, consider restricting the use of the `catch workers output` configuration option until a patch is available. Avoid using the syslog output configuration in PHP-FPM until the issue is resolved.