Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-11234

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user.

Published

2024-11-24T01:15:03.987

Last Modified

2024-11-26T19:06:10.243

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 4.8 (MEDIUM)

Weaknesses

Type: Secondary
CWE-20
Type: Primary
CWE-74

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	php	php	< 8.1.31	Yes
Application	php	php	< 8.2.26	Yes
Application	php	php	< 8.3.14	Yes

References

https://github.com/php/php-src/security/advisories/GHSA-c5f2-jwm7-mmq2 Exploit, Third Party Advisory ([email protected])