Search CVE reports
11 – 20 of 644 results
CVE-2024-4577
Medium priorityIn PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters...
7 affected packages
php5, php7.0, php7.2, php7.4, php8.1...
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
php5 | Not in release | Not in release | Not in release | — | — |
php7.0 | Not in release | Not in release | Not in release | — | Not affected |
php7.2 | Not in release | Not in release | Not in release | Not affected | — |
php7.4 | Not in release | Not in release | Not affected | — | — |
php8.1 | Not in release | Not affected | Not in release | — | — |
php8.2 | Not in release | Not in release | Not in release | — | — |
php8.3 | Not affected | Not in release | Not in release | — | — |
CVE-2024-2408
Medium priorityThe openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this...
7 affected packages
php5, php7.0, php7.2, php7.4, php8.1...
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
php5 | Not in release | Not in release | Not in release | — | — |
php7.0 | Not in release | Not in release | Not in release | — | Not affected |
php7.2 | Not in release | Not in release | Not in release | Not affected | — |
php7.4 | Not in release | Not in release | Not affected | — | — |
php8.1 | Not in release | Not affected | Not in release | — | — |
php8.2 | Not in release | Not in release | Not in release | — | — |
php8.3 | Not affected | Not in release | Not in release | — | — |
CVE-2024-5585
Medium priorityIn PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax,...
7 affected packages
php5, php7.0, php7.2, php7.4, php8.1...
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
php5 | Not in release | Not in release | Not in release | — | — |
php7.0 | Not in release | Not in release | Not in release | — | Not affected |
php7.2 | Not in release | Not in release | Not in release | Not affected | — |
php7.4 | Not in release | Not in release | Not affected | — | — |
php8.1 | Not in release | Not affected | Not in release | — | — |
php8.2 | Not in release | Not in release | Not in release | — | — |
php8.3 | Not affected | Not in release | Not in release | — | — |
CVE-2024-2757
Medium priorityIn PHP 8.3.* before 8.3.5, function mb_encode_mimeheader() runs endlessly for some inputs that contain long strings of non-space characters followed by a space. This could lead to a potential DoS attack if a hostile user sends...
7 affected packages
php5, php7.0, php7.2, php7.4, php8.1...
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
php5 | Not in release | Not in release | Not in release | — | — |
php7.0 | Not in release | Not in release | Not in release | — | Not affected |
php7.2 | Not in release | Not in release | Not in release | Not affected | — |
php7.4 | Not in release | Not in release | Not affected | — | — |
php8.1 | Not in release | Not affected | Not in release | — | — |
php8.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
php8.3 | Fixed | Not in release | Not in release | Not in release | Not in release |
CVE-2024-1874
Medium priorityIn PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious...
7 affected packages
php5, php7.0, php7.2, php7.4, php8.1...
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
php5 | Not in release | Not in release | Not in release | — | — |
php7.0 | Not in release | Not in release | Not in release | — | Not affected |
php7.2 | Not in release | Not in release | Not in release | Not affected | — |
php7.4 | Not in release | Not in release | Not affected | — | — |
php8.1 | Not in release | Not affected | Not in release | — | — |
php8.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
php8.3 | Not affected | Not in release | Not in release | Not in release | Not in release |
CVE-2024-3096
Medium prioritySome fixes available 7 of 8
In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly...
7 affected packages
php5, php7.0, php7.2, php7.4, php8.1...
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
php5 | Not in release | Not in release | Not in release | — | — |
php7.0 | Not in release | Not in release | Not in release | — | Fixed |
php7.2 | Not in release | Not in release | Not in release | Fixed | — |
php7.4 | Not in release | Not in release | Fixed | — | — |
php8.1 | Not in release | Fixed | Not in release | — | — |
php8.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
php8.3 | Fixed | Not in release | Not in release | Not in release | Not in release |
CVE-2024-2756
Medium prioritySome fixes available 7 of 8
Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure-...
7 affected packages
php5, php7.0, php7.2, php7.4, php8.1...
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
php5 | Not in release | Not in release | Not in release | — | — |
php7.0 | Not in release | Not in release | Not in release | — | Fixed |
php7.2 | Not in release | Not in release | Not in release | Fixed | — |
php7.4 | Not in release | Not in release | Fixed | — | — |
php8.1 | Not in release | Fixed | Not in release | — | — |
php8.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
php8.3 | Fixed | Not in release | Not in release | Not in release | Not in release |
CVE-2022-4900
Low prioritySome fixes available 2 of 3
A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow.
7 affected packages
php5, php7.0, php7.2, php7.4, php8.1...
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
php5 | — | Not in release | Not in release | Not in release | Not in release |
php7.0 | — | Not in release | Not in release | Not in release | Not affected |
php7.2 | — | Not in release | Not in release | Not affected | Not in release |
php7.4 | — | Not in release | Fixed | Not in release | Not in release |
php8.1 | Not in release | Fixed | Not in release | Not in release | Not in release |
php8.2 | Not in release | Not in release | Not in release | Not in release | Not in release |
php8.3 | Not affected | Not in release | Not in release | Not in release | Not in release |
CVE-2023-3824
Medium prioritySome fixes available 5 of 6
In PHP version 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially...
6 affected packages
php5, php7.0, php7.2, php7.4, php8.1, php8.2
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
php5 | Not in release | Not in release | Not in release | Not in release | Not in release |
php7.0 | Not in release | Not in release | Not in release | Not in release | Fixed |
php7.2 | Not in release | Not in release | Not in release | Fixed | Not in release |
php7.4 | Not in release | Not in release | Fixed | Not in release | Not in release |
php8.1 | Not in release | Fixed | Not in release | Not in release | Not in release |
php8.2 | Not in release | Not in release | Not in release | Ignored | Ignored |
CVE-2023-3823
Medium prioritySome fixes available 5 of 6
In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed...
6 affected packages
php5, php7.0, php7.2, php7.4, php8.1, php8.2
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
php5 | Not in release | Not in release | Not in release | Not in release | Not in release |
php7.0 | Not in release | Not in release | Not in release | Not in release | Fixed |
php7.2 | Not in release | Not in release | Not in release | Fixed | Not in release |
php7.4 | Not in release | Not in release | Fixed | Not in release | Not in release |
php8.1 | Not in release | Fixed | Not in release | Not in release | Not in release |
php8.2 | Not in release | Not in release | Not in release | Ignored | Ignored |