SB2024101209 - openEuler update for php
Published: October 12, 2024 Updated: March 18, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2024-8925)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input when parsing multipart form data. A remote attacker can pass specially crafted input to the application and bypass implemented security restrictions.
2) OS Command Injection (CVE-ID: CVE-2024-8926)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The
vulnerability exists due to improper input validation in PHP-CGI
implementation. A remote attacker can send specially crafted HTTP
request to the application and execute arbitrary OS commands on the
system.
3) Security features bypass (CVE-ID: CVE-2024-8927)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to environment variable collision, which can lead to cgi.force_redirect bypass. A remote attacker can bypass implemented security restriction and gain unauthorized access to the application.
4) Insufficient Logging (CVE-ID: CVE-2024-9026)
The vulnerability allows an attacker to alter log files.
The vulnerability exists due to an unspecified error, which can lead to logs from child processes to be altered.
5) OS Command Injection (CVE-ID: CVE-2024-4577)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in PHP-CGI implementation. A remote attacker can send specially crafted HTTP request to the application and execute arbitrary OS commands on the system.
Remediation
Install update from vendor's website.