CVE-2024-11236

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions PHP versions 8.1.* before 8.1.31 PHP versions 8.2.* before 8.2.26 PHP versions 8.3.* before 8.3.14

Description The issue is related to an integer overflow in the ldap escape() function on 32-bit systems when handling uncontrolled long string inputs. This can result in an out-of-bounds write, potentially allowing a remote attacker to execute arbitrary code by sending specially crafted data to a web application. The vulnerability is critical and can lead to system crashes or malicious actions.

Recommendations For PHP versions 8.1.* before 8.1.31, update to version 8.1.31 or later. For PHP versions 8.2.* before 8.2.26, update to version 8.2.26 or later. For PHP versions 8.3.* before 8.3.14, update to version 8.3.14 or later. As a temporary workaround, consider restricting the input to the ldap escape() function to prevent long string inputs on 32-bit systems.

Exploit

Fix

Integer Overflow

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-190CWE-787

Related Identifiers

ALT-PU-2024-16220

ALT-PU-2024-16262

ALT-PU-2024-16264

ALT-PU-2024-16421

ALT-PU-2024-16432

ALT-PU-2024-16480

ALT-PU-2024-16520

AZL-53447

AZL-53718

BDU:2024-09951

BIT-LIBPHP-2024-11236

BIT-PHP-2024-11236

BIT-PHP-MIN-2024-11236

CVE-2024-11236

DLA-3986-1

DSA-5819-1

GHSA-5HQH-C84R-QJCV

MGASA-2024-0375

OESA-2024-2478

OPENSUSE-SU-2024:14521-1

OPENSUSE-SU-2024_4136-1

SUSE-SU-2024:4136-1

USN-7153-1

USN-7157-1

Affected Products

Alt Linux

Astra Linux

Linuxmint

Php

Red Os

Suse

Ubuntu

CVE-2024-11236

Weakness Enumeration

Related Identifiers

Affected Products

References · 95