apk package
wolfi/php-8.2-mysqli-config
pkg:apk/wolfi/php-8.2-mysqli-config
Vulnerabilities (16)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-11233 | — | < 8.2.26-r0 | 8.2.26-r0 | Nov 24, 2024 | In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, due to an error in convert.quoted-printable-decode filter certain data can lead to buffer overread by one byte, which can in certain circumstances lead to crashes or disclose content of other memory ar | ||
| CVE-2024-11234 | — | < 8.2.26-r0 | 8.2.26-r0 | Nov 24, 2024 | In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbi | ||
| CVE-2024-11236 | — | < 8.2.26-r0 | 8.2.26-r0 | Nov 24, 2024 | In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write. | ||
| CVE-2024-8932 | — | < 8.2.26-r0 | 8.2.26-r0 | Nov 22, 2024 | In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write. | ||
| CVE-2024-2408 | — | < 8.2.20-r0 | 8.2.20-r0 | Jun 9, 2024 | The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/ | ||
| CVE-2024-4577 | — | KEV | < 8.2.20-r0 | 8.2.20-r0 | Jun 9, 2024 | In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP C | |
| CVE-2024-5585 | — | < 8.2.20-r0 | 8.2.20-r0 | Jun 9, 2024 | In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of | ||
| CVE-2024-5458 | — | < 8.2.20-r0 | 8.2.20-r0 | Jun 9, 2024 | In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + pa | ||
| CVE-2022-4900 | — | < 0 | 0 | Nov 2, 2023 | A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow. | ||
| CVE-2022-4455 | — | < 0 | 0 | Dec 13, 2022 | A vulnerability was identified in sproctor php-calendar up to 2.0.13. This impacts an unknown function of the file index.php. Such manipulation of the argument $_SERVER['PHP_SELF'] leads to cross site scripting. The attack may be launched remotely. The name of the patch is a29411 | ||
| CVE-2015-3211 | Med | 5.5 | < 0 | 0 | Aug 25, 2017 | php-fpm allows local users to write to or create arbitrary files via a symlink attack. | |
| CVE-2017-6485 | Med | 6.1 | < 0 | 0 | Mar 5, 2017 | A Cross-Site Scripting (XSS) issue was discovered in php-calendar before 2017-03-03. The vulnerability exists due to insufficient filtration of user-supplied data (errorMsg) passed to the "php-calendar-master/error.php" URL. An attacker could execute arbitrary HTML and script cod | |
| CVE-2007-4889 | — | < 0 | 0 | Sep 14, 2007 | The MySQL extension in PHP 5.2.4 and earlier allows remote attackers to bypass safe_mode and open_basedir restrictions via the MySQL (1) LOAD_FILE, (2) INTO DUMPFILE, and (3) INTO OUTFILE functions, a different issue than CVE-2007-3997. | ||
| CVE-2007-4596 | — | < 0 | 0 | Aug 30, 2007 | The perl extension in PHP does not follow safe_mode restrictions, which allows context-dependent attackers to execute arbitrary code via the Perl eval function. NOTE: this might only be a vulnerability in limited environments. | ||
| CVE-2007-3205 | — | < 0 | 0 | Jun 13, 2007 | The parse_str function in (1) PHP, (2) Hardened-PHP, and (3) Suhosin, when called without a second parameter, might allow remote attackers to overwrite arbitrary variables by specifying variable names and values in the string to be parsed. NOTE: it is not clear whether this is a | ||
| CVE-2007-2728 | — | < 0 | 0 | May 16, 2007 | The soap extension in PHP calls php_rand_r with an uninitialized seed variable, which has unknown impact and attack vectors, a related issue to the mcrypt_create_iv issue covered by CVE-2007-2727. Note: The PHP team argue that this is not a valid security issue. |
- CVE-2024-11233Nov 24, 2024affected < 8.2.26-r0fixed 8.2.26-r0
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, due to an error in convert.quoted-printable-decode filter certain data can lead to buffer overread by one byte, which can in certain circumstances lead to crashes or disclose content of other memory ar
- CVE-2024-11234Nov 24, 2024affected < 8.2.26-r0fixed 8.2.26-r0
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbi
- CVE-2024-11236Nov 24, 2024affected < 8.2.26-r0fixed 8.2.26-r0
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.
- CVE-2024-8932Nov 22, 2024affected < 8.2.26-r0fixed 8.2.26-r0
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.
- CVE-2024-2408Jun 9, 2024affected < 8.2.20-r0fixed 8.2.20-r0
The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/
- affected < 8.2.20-r0fixed 8.2.20-r0
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP C
- CVE-2024-5585Jun 9, 2024affected < 8.2.20-r0fixed 8.2.20-r0
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of
- CVE-2024-5458Jun 9, 2024affected < 8.2.20-r0fixed 8.2.20-r0
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + pa
- CVE-2022-4900Nov 2, 2023affected < 0fixed 0
A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow.
- CVE-2022-4455Dec 13, 2022affected < 0fixed 0
A vulnerability was identified in sproctor php-calendar up to 2.0.13. This impacts an unknown function of the file index.php. Such manipulation of the argument $_SERVER['PHP_SELF'] leads to cross site scripting. The attack may be launched remotely. The name of the patch is a29411
- affected < 0fixed 0
php-fpm allows local users to write to or create arbitrary files via a symlink attack.
- affected < 0fixed 0
A Cross-Site Scripting (XSS) issue was discovered in php-calendar before 2017-03-03. The vulnerability exists due to insufficient filtration of user-supplied data (errorMsg) passed to the "php-calendar-master/error.php" URL. An attacker could execute arbitrary HTML and script cod
- CVE-2007-4889Sep 14, 2007affected < 0fixed 0
The MySQL extension in PHP 5.2.4 and earlier allows remote attackers to bypass safe_mode and open_basedir restrictions via the MySQL (1) LOAD_FILE, (2) INTO DUMPFILE, and (3) INTO OUTFILE functions, a different issue than CVE-2007-3997.
- CVE-2007-4596Aug 30, 2007affected < 0fixed 0
The perl extension in PHP does not follow safe_mode restrictions, which allows context-dependent attackers to execute arbitrary code via the Perl eval function. NOTE: this might only be a vulnerability in limited environments.
- CVE-2007-3205Jun 13, 2007affected < 0fixed 0
The parse_str function in (1) PHP, (2) Hardened-PHP, and (3) Suhosin, when called without a second parameter, might allow remote attackers to overwrite arbitrary variables by specifying variable names and values in the string to be parsed. NOTE: it is not clear whether this is a
- CVE-2007-2728May 16, 2007affected < 0fixed 0
The soap extension in PHP calls php_rand_r with an uninitialized seed variable, which has unknown impact and attack vectors, a related issue to the mcrypt_create_iv issue covered by CVE-2007-2727. Note: The PHP team argue that this is not a valid security issue.