CVE-2024-8927

Name of the Vulnerable Software and Affected Versions: PHP versions 8.1.* through 8.1.29 PHP versions 8.2.* through 8.2.23 PHP versions 8.3.* through 8.3.11

Description: The issue is related to errors in security settings, specifically with the cgi.force redirect configuration. In certain scenarios, the content of the HTTP REDIRECT STATUS variable can be controlled by the request submitter via HTTP headers, leading to the cgi.force redirect option not being correctly applied. This may result in arbitrary file inclusion in PHP. The HTTP REDIRECT STATUS variable is used to check whether the CGI binary is being run by the HTTP server.

Recommendations: For PHP versions 8.1.* through 8.1.29, update to version 8.1.30 or later. For PHP versions 8.2.* through 8.2.23, update to version 8.2.24 or later. For PHP versions 8.3.* through 8.3.11, update to version 8.3.12 or later. As a temporary workaround, consider restricting access to the HTTP REDIRECT STATUS variable to minimize the risk of exploitation. Avoid using the HTTP REDIRECT STATUS variable in sensitive configurations until the issue is resolved.