Tim Düsterhus

**Name of the Vulnerable Software and Affected Versions** PHP versions 8.2.0 through 8.2.30 PHP versions 8.3.0 through 8.3.30 PHP versions 8.4.0 through 8.4.20 PHP versions 8.5.0 through 8.5.5 **Description** The `metaphone()` function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. When a string exceeding 2,147,483,647 bytes is processed, a signed integer overflow occurs. This leads to undefined behavior, specifically an out-of-bounds read, which can cause a segmentation fault or access to unrelated memory, potentially impacting the availability of the PHP process. **Recommendations** Update PHP version 8.2.x to 8.2.31 Update PHP version 8.3.x to 8.3.31 Update PHP version 8.4.x to 8.4.21 Update PHP version 8.5.x to 8.5.6 As a temporary workaround, restrict the length of input strings passed to the `metaphone()` function to be less than 2,147,483,647 bytes.

**Name of the Vulnerable Software and Affected Versions** PHP versions 8.1.* through 8.1.31 PHP versions 8.2.* through 8.2.27 PHP versions 8.3.* through 8.3.18 PHP versions 8.4.* through 8.4.4 **Description** The issue is related to the use of the wrong content-type header to determine the charset when a requested resource performs a redirect, potentially causing the resulting document to be parsed incorrectly or bypass validations. This can occur when requesting an HTTP resource using the DOM or SimpleXML extensions in PHP. The vulnerability may allow a remote attacker to redirect a user to an arbitrary URL. **Recommendations** Update PHP to version 8.1.32 or later for versions 8.1.* Update PHP to version 8.2.28 or later for versions 8.2.* Update PHP to version 8.3.19 or later for versions 8.3.* Update PHP to version 8.4.5 or later for versions 8.4.*

**Name of the Vulnerable Software and Affected Versions** PHP versions 8.1.* through 8.1.31 PHP versions 8.2.* through 8.2.27 PHP versions 8.3.* through 8.3.18 PHP versions 8.4.* through 8.4.4 **Description** The issue is related to the incorrect parsing of folded headers in HTTP responses by the http request module in PHP. This may lead to misinterpreting the response and using incorrect headers, MIME types, etc. The vulnerability can be exploited by a remote attacker to send hidden HTTP requests. **Recommendations** For PHP versions 8.1.* through 8.1.31, update to version 8.1.32 or later. For PHP versions 8.2.* through 8.2.27, update to version 8.2.28 or later. For PHP versions 8.3.* through 8.3.18, update to version 8.3.19 or later. For PHP versions 8.4.* through 8.4.4, update to version 8.4.5 or later. As a temporary workaround, consider restricting access to the http stream wrapper until a patch is available.

**Name of the Vulnerable Software and Affected Versions** PHP versions 8.0.* through 8.0.28 PHP versions 8.1.* through 8.1.19 PHP versions 8.2.* through 8.2.6 **Description** The issue is related to the use of a random value generator with a narrower range of values than it should have when using SOAP HTTP Digest Authentication. In case of random generator failure, it could lead to a disclosure of 31 bits of uninitialized memory from the client to the server, and it also made easier to a malicious server to guess the client's nonce. **Recommendations** For PHP versions 8.0.* through 8.0.28, update to version 8.0.29 or later. For PHP versions 8.1.* through 8.1.19, update to version 8.1.20 or later. For PHP versions 8.2.* through 8.2.6, update to version 8.2.7 or later. As a temporary workaround, consider disabling the SOAP HTTP Digest Authentication until a patch is available.

**Name of the Vulnerable Software and Affected Versions** PHP versions 8.0.0 through 8.0.27 PHP versions 8.1.0 through 8.1.15 PHP versions 8.2.0 through 8.2.2 **Description** The issue is related to the password verification function in PHP, which may accept some invalid Blowfish hashes as valid. If such an invalid hash ends up in the password database, it may lead to an application allowing any password for this entry as valid. This is due to insufficient computation of the password hash. The `password verify()` function is specifically affected. **Recommendations** For PHP versions 8.0.0 through 8.0.27, update to version 8.0.28 or later. For PHP versions 8.1.0 through 8.1.15, update to version 8.1.16 or later. For PHP versions 8.2.0 through 8.2.2, update to version 8.2.3 or later. As a temporary workaround, consider restricting access to the `password verify()` function until a patch is available. Avoid using invalid Blowfish hashes in the password database to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** HAProxy versions 2.0 through 2.0.23 HAProxy versions 2.2 through 2.2.15 HAProxy versions 2.3 through 2.3.12 HAProxy versions 2.4 through 2.4.2 **Description** The issue is related to insufficient input validation in the HAProxy HTTP server software. This allows a remote attacker to impact data integrity. Specifically, an HTTP method name may contain a space followed by the name of a protected resource, which could be interpreted by the server as a request for that protected resource. For example, a request like "GET /admin? HTTP/1.1 /static/images HTTP/1.1" could be misinterpreted. **Recommendations** For HAProxy versions 2.0 through 2.0.23, update to version 2.0.24 or later. For HAProxy versions 2.2 through 2.2.15, update to version 2.2.16 or later. For HAProxy versions 2.3 through 2.3.12, update to version 2.3.13 or later. For HAProxy versions 2.4 through 2.4.2, update to version 2.4.3 or later.

**Name of the Vulnerable Software and Affected Versions** HAProxy versions 2.2 before 2.2.16 HAProxy versions 2.3 before 2.3.13 HAProxy versions 2.4 before 2.4.3 **Description** The issue is related to a mismatch between Host and authority being mishandled, which can lead to an attacker-controlled HTTP Host header. This can allow a remote attacker to impact data integrity. **Recommendations** For HAProxy versions 2.2 before 2.2.16, update to version 2.2.16 or later. For HAProxy versions 2.3 before 2.3.13, update to version 2.3.13 or later. For HAProxy versions 2.4 before 2.4.3, update to version 2.4.3 or later.

**Name of the Vulnerable Software and Affected Versions** HAProxy versions 2.2 through 2.2.15 HAProxy versions 2.3 through 2.3.12 HAProxy versions 2.4 through 2.4.2 **Description** An issue was discovered in HAProxy where it does not ensure that the scheme and path portions of a URI have the expected characters. For example, the authority field might differ from what the routing rules were intended to achieve, potentially allowing a remote attacker to access confidential data due to insufficient input validation. **Recommendations** For HAProxy versions 2.2 through 2.2.15, update to version 2.2.16 or later. For HAProxy versions 2.3 through 2.3.12, update to version 2.3.13 or later. For HAProxy versions 2.4 through 2.4.2, update to version 2.4.3 or later.

**Name of the Vulnerable Software and Affected Versions** HAProxy versions prior to 2.0.10 **Description** The issue is related to the HTTP/2 implementation in HAProxy, which mishandles headers. This can be exploited by an attacker to gain access to confidential data, disrupt data integrity, and cause a denial of service. The vulnerability is demonstrated by the improper handling of carriage return (CR, ASCII 0xd), line feed (LF, ASCII 0xa), and the zero character (NUL, ASCII 0x0). **Recommendations** For HAProxy versions prior to 2.0.10, update to version 2.0.10 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive data and implementing additional security measures to prevent exploitation.

Name of the Vulnerable Software and Affected Versions: HAProxy versions 1.8.x through 1.9.0 Description: An out-of-bounds read issue was discovered in the HTTP/2 protocol decoder, which can result in a crash. The issue arises from the processing of the PRIORITY flag in a HEADERS frame, where 5 extra bytes are required but not properly checked, potentially leading to a denial of service. This can be exploited by a remote attacker using a specially crafted packet. Recommendations: For HAProxy versions 1.8.x through 1.9.0, consider disabling the HTTP/2 protocol decoder until a patch is available to prevent potential crashes. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** HAProxy versions prior to 1.8.14 **Description** The issue is related to an out-of-bounds read access in the HPACK decoder of HAProxy, which can be exploited by a remote attacker to cause a denial of service. This is due to a flaw in the `hpack valid idx()` function. **Recommendations** For versions prior to 1.8.14, update to version 1.8.14 or later to resolve the issue. As a temporary workaround, consider restricting access to the HTTP/2 protocol until the update is applied.