CVE-2024-9026

php: PHP-FPM Log Manipulation Vulnerability

Publication Date2024-10-08
SeverityLow
TypeInformation Disclosure
Affected PHP Versions
  • 7.4.0-7.4.33
  • 8.0.0-8.0.30
  • 8.1.0-8.1.30
  • 8.2.0-8.2.24
  • 8.3.0-8.3.12
Fixed Product Versions
  • ZendPHP 7.4
  • ZendPHP 8.0
  • ZendPHP 8.1
  • ZendPHP 8.2
  • ZendPHP 8.3

CVE Details

When using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.

Recommendations

We recommend upgrading to a known patched version of PHP.