VYPR

rpm package

suse/php7&distro=SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS

pkg:rpm/suse/php7&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSS

Vulnerabilities (15)

  • CVE-2024-11235Apr 4, 2025
    affected < 7.4.33-150200.3.76.1fixed 7.4.33-150200.3.76.1

    In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??=  operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially cra

  • CVE-2025-1861Mar 30, 2025
    affected < 7.4.33-150200.3.76.1fixed 7.4.33-150200.3.76.1

    In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by limited size of the location buffer to 1024.

  • CVE-2025-1736Mar 30, 2025
    affected < 7.4.33-150200.3.76.1fixed 7.4.33-150200.3.76.1

    In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may prevent certain headers from being sent or lead to certain headers be m

  • CVE-2025-1734Mar 30, 2025
    affected < 7.4.33-150200.3.76.1fixed 7.4.33-150200.3.76.1

    In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepti

  • CVE-2025-1219Mar 30, 2025
    affected < 7.4.33-150200.3.76.1fixed 7.4.33-150200.3.76.1

    In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs

  • CVE-2025-1217Mar 29, 2025
    affected < 7.4.33-150200.3.76.1fixed 7.4.33-150200.3.76.1

    In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when http request module parses HTTP response obtained from a server, folded headers are parsed incorrectly, which may lead to misinterpreting the response and using inco

  • CVE-2022-31631Feb 12, 2025
    affected < 7.4.33-150200.3.51.1fixed 7.4.33-150200.3.51.1

    In PHP versions 8.0.* before 8.0.27, 8.1.* before 8.1.15, 8.2.* before 8.2.2 when using PDO::quote() function to quote user-supplied data for SQLite, supplying an overly long string may cause the driver to incorrectly quote the data, which may further lead to SQL injection vulner

  • CVE-2024-5458Jun 9, 2024
    affected < 7.4.33-150200.3.65.1fixed 7.4.33-150200.3.65.1

    In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + pa

  • CVE-2024-2756MedApr 29, 2024
    affected < 7.4.33-150200.3.65.1fixed 7.4.33-150200.3.65.1

    Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications.

  • CVE-2024-3096Apr 29, 2024
    affected < 7.4.33-150200.3.65.1fixed 7.4.33-150200.3.65.1

    In PHP  version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.

  • CVE-2023-3824Aug 11, 2023
    affected < 7.4.33-150200.3.60.1fixed 7.4.33-150200.3.60.1

    In PHP version 8.0.* before 8.0.30,  8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE.

  • CVE-2023-3823Aug 11, 2023
    affected < 7.4.33-150200.3.60.1fixed 7.4.33-150200.3.60.1

    In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes

  • CVE-2023-0568Feb 16, 2023
    affected < 7.4.33-150200.3.51.1fixed 7.4.33-150200.3.51.1

    In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small. When resolving paths with lengths close to system MAXPATHLEN setting, this may lead to the byte after the allocated buffer being overwritten w

  • CVE-2023-0662Feb 16, 2023
    affected < 7.4.33-150200.3.51.1fixed 7.4.33-150200.3.51.1

    In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consumption and excessive number of log entries. This can cause denial of service on the affected server by exhausting CPU resources or di

  • CVE-2023-0567Feb 16, 2023
    affected < 7.4.33-150200.3.51.1fixed 7.4.33-150200.3.51.1

    In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as v