VYPR

rpm package

opensuse/php8-fpm&distro=openSUSE Leap 15.5

pkg:rpm/opensuse/php8-fpm&distro=openSUSE%20Leap%2015.5

Vulnerabilities (12)

  • CVE-2024-11233Nov 24, 2024
    affected < 8.0.30-150400.4.49.1fixed 8.0.30-150400.4.49.1

    In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, due to an error in convert.quoted-printable-decode filter certain data can lead to buffer overread by one byte, which can in certain circumstances lead to crashes or disclose content of other memory ar

  • CVE-2024-11234Nov 24, 2024
    affected < 8.0.30-150400.4.49.1fixed 8.0.30-150400.4.49.1

    In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbi

  • CVE-2024-8929Nov 22, 2024
    affected < 8.0.30-150400.4.49.1fixed 8.0.30-150400.4.49.1

    In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, a hostile MySQL server can cause the client to disclose the content of its heap containing data from other SQL requests and possible other data belonging to different users of the same server.

  • CVE-2024-9026Oct 8, 2024
    affected < 8.0.30-150400.4.46.1fixed 8.0.30-150400.4.46.1

    In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages b

  • CVE-2024-8927Oct 8, 2024
    affected < 8.0.30-150400.4.46.1fixed 8.0.30-150400.4.46.1

    In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request su

  • CVE-2024-8925Oct 8, 2024
    affected < 8.0.30-150400.4.46.1fixed 8.0.30-150400.4.46.1

    In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could lead to legitimate data not being processed. This could lead to malicious attacker able to control part of the submitted

  • CVE-2024-5458Jun 9, 2024
    affected < 8.0.30-150400.4.43.1fixed 8.0.30-150400.4.43.1

    In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + pa

  • CVE-2024-2756MedApr 29, 2024
    affected < 8.0.30-150400.4.40.1fixed 8.0.30-150400.4.40.1

    Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications.

  • CVE-2024-3096Apr 29, 2024
    affected < 8.0.30-150400.4.40.1fixed 8.0.30-150400.4.40.1

    In PHP  version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.

  • CVE-2023-3824Aug 11, 2023
    affected < 8.0.30-150400.4.37.1fixed 8.0.30-150400.4.37.1

    In PHP version 8.0.* before 8.0.30,  8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE.

  • CVE-2023-3823Aug 11, 2023
    affected < 8.0.30-150400.4.37.1fixed 8.0.30-150400.4.37.1

    In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes

  • CVE-2023-3247Jul 22, 2023
    affected < 8.0.29-150400.4.34.1fixed 8.0.29-150400.4.34.1

    In PHP versions 8.0.* before 8.0.29, 8.1.* before 8.1.20, 8.2.* before 8.2.7 when using SOAP HTTP Digest Authentication, random value generator was not checked for failure, and was using narrower range of values than it should have. In case of random generator failure, it could l