high  Twig has a possible sandbox bypass

Versions affectées : >=3.0.0,<3.14.0|>=2.0.0,<2.16.1|>=1.0.0,<1.44.8
Versions patchées : 1.44.8 2.16.1 3.14.0
https://github.com/advisories/GHSA-6j75-5wfj-gh66

low  Unguarded calls to __isset() and to array-accesses when the sandbox is enabled

Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.11.2|>=3.12.0,<3.14.1
Versions patchées : 3.11.2 3.14.1
https://symfony.com/blog/unguarded-calls-to-__isset-and-to-array-accesses-when-the-sandbox-is-enabled

low  Unguarded calls to __toString() when nesting an object into an array

Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.11.2|>=3.12.0,<3.14.1
Versions patchées : 3.11.2 3.14.1
https://symfony.com/blog/unguarded-calls-to-__tostring-when-nesting-an-object-into-an-array

low  CVE-2024-50342: Internal address and port enumeration allowed by NoPrivateNetworkHttpClient

Versions affectées : >=4.3.0,<4.4.0|>=4.4.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7
Versions patchées : 5.4.46 6.4.14 7.1.7 5.4.46 6.4.14 7.1.7
https://symfony.com/cve-2024-50342

low  CVE-2024-50345: Open redirect via browser-sanitized URLs

Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7
Versions patchées : 5.4.46 6.4.14 7.1.7 5.4.46 6.4.14 7.1.7
https://symfony.com/cve-2024-50345

high  CVE-2024-51736: Command execution hijack on Windows with Process class

Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7
Versions patchées : 5.4.46 6.4.14 7.1.7 5.4.46 6.4.14 7.1.7
https://symfony.com/cve-2024-51736

low  CVE-2024-50341: Security::login does not take into account custom user_checker

Versions affectées : >=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.10|>=7.0.0,<7.0.10|>=7.1.0,<7.1.3
Versions patchées : 6.4.10 7.0.10 7.1.3 6.4.10 7.0.10 7.1.3
https://symfony.com/cve-2024-50341

low  CVE-2024-50343: Incorrect response from Validator when input ends with ` `

Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.43|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.11|>=7.0.0,<7.1.0|>=7.1.0,<7.1.4
Versions patchées : 5.4.43 6.4.11 7.1.4 5.4.43 6.4.11 7.1.4
https://symfony.com/cve-2024-50343

high  CVE-2024-51996: Authentication Bypass via persisted RememberMe cookie

Versions affectées : >=5.3.0,<5.4.0|>=5.4.0,<5.4.47|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.15|>=7.0.0,<7.1.0|>=7.1.0,<7.1.8
Versions patchées : 5.4.47 6.4.15 7.1.8
https://symfony.com/cve-2024-51996

medium  Sylius allows unrestricted brute-force attacks on user accounts

Versions affectées : <=2.0.2
Versions patchées :
https://github.com/advisories/GHSA-2hjh-495w-hmxc

medium  Sylius PayPal Plugin has an Order Manipulation Vulnerability after PayPal Checkout

Versions affectées : >=2.0.0,<2.0.2|>=1.7.0,<1.7.2|<1.6.2
Versions patchées : 1.6.2 1.7.2 2.0.2
https://github.com/advisories/GHSA-hxg4-65p5-9w37

medium  Sylius PayPal Plugin Payment Amount Manipulation Vulnerability

Versions affectées : >=2.0.0,<2.0.1|>=1.7.0,<1.7.1|<1.6.1
Versions patchées : 1.6.1 1.7.1 2.0.1
https://github.com/advisories/GHSA-pqq3-q84h-pj6x

high  GraphQL query operations security can be bypassed

Versions affectées : <4.0.22
Versions patchées : 4.0.22 4.0.22
https://github.com/advisories/GHSA-cg3c-245w-728m

high  GraphQL grant on a property might be cached with different objects

Versions affectées : <4.0.22
Versions patchées : 4.0.22 4.0.22
https://github.com/advisories/GHSA-428q-q3vv-3fq3

critical  In PHP version 8.0.* before 8.0.30,  8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE. 

* [https://github.com/php/php-src/security/advisories/GHSA-jqcx-ccgc-xwhv](https://github.com/php/php-src/security/advisories/GHSA-jqcx-ccgc-xwhv)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7NBF77WN6DTVTY2RE73IGPYD6M4PIAWA/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7NBF77WN6DTVTY2RE73IGPYD6M4PIAWA/)
* [https://security.netapp.com/advisory/ntap-20230825-0001/](https://security.netapp.com/advisory/ntap-20230825-0001/)
* [https://lists.debian.org/debian-lts-announce/2023/09/msg00002.html](https://lists.debian.org/debian-lts-announce/2023/09/msg00002.html)

critical  In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.

* [https://github.com/php/php-src/security/advisories/GHSA-5hqh-c84r-qjcv](https://github.com/php/php-src/security/advisories/GHSA-5hqh-c84r-qjcv)

critical  In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

* [https://github.com/php/php-src/security/advisories/GHSA-3qgc-jrrr-25jv](https://github.com/php/php-src/security/advisories/GHSA-3qgc-jrrr-25jv)
* [https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html](https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html)
* [https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/](https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/)
* [https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/](https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/)
* [https://www.imperva.com/blog/imperva-protects-against-critical-php-vulnerability-cve-2024-4577/](https://www.imperva.com/blog/imperva-protects-against-critical-php-vulnerability-cve-2024-4577/)
* [https://github.com/11whoami99/CVE-2024-4577](https://github.com/11whoami99/CVE-2024-4577)
* [https://github.com/xcanwin/CVE-2024-4577-PHP-RCE](https://github.com/xcanwin/CVE-2024-4577-PHP-RCE)
* [https://github.com/rapid7/metasploit-framework/pull/19247](https://github.com/rapid7/metasploit-framework/pull/19247)
* [https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/](https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/)
* [https://github.com/watchtowrlabs/CVE-2024-4577](https://github.com/watchtowrlabs/CVE-2024-4577)
* [https://www.php.net/ChangeLog-8.php#8.1.29](https://www.php.net/ChangeLog-8.php#8.1.29)
* [https://www.php.net/ChangeLog-8.php#8.2.20](https://www.php.net/ChangeLog-8.php#8.2.20)
* [https://www.php.net/ChangeLog-8.php#8.3.8](https://www.php.net/ChangeLog-8.php#8.3.8)
* [https://cert.be/en/advisory/warning-php-remote-code-execution-patch-immediately](https://cert.be/en/advisory/warning-php-remote-code-execution-patch-immediately)
* [https://isc.sans.edu/diary/30994](https://isc.sans.edu/diary/30994)
* [http://www.openwall.com/lists/oss-security/2024/06/07/1](http://www.openwall.com/lists/oss-security/2024/06/07/1)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/)
* [https://security.netapp.com/advisory/ntap-20240621-0008/](https://security.netapp.com/advisory/ntap-20240621-0008/)

critical  In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location.

* [https://github.com/php/php-src/security/advisories/GHSA-52jp-hrpf-2jff](https://github.com/php/php-src/security/advisories/GHSA-52jp-hrpf-2jff)
* [https://security.netapp.com/advisory/ntap-20250523-0005/](https://security.netapp.com/advisory/ntap-20250523-0005/)

high  In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small. When resolving paths with lengths close to system MAXPATHLEN setting, this may lead to the byte after the allocated buffer being overwritten with NUL value, which might lead to unauthorized data access or modification. 

* [https://bugs.php.net/bug.php?id=81746](https://bugs.php.net/bug.php?id=81746)
* [https://security.netapp.com/advisory/ntap-20230517-0001/](https://security.netapp.com/advisory/ntap-20230517-0001/)

high  In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consumption and excessive number of log entries. This can cause denial of service on the affected server by exhausting CPU resources or disk space. 

* [https://github.com/php/php-src/security/advisories/GHSA-54hq-v5wp-fqgv](https://github.com/php/php-src/security/advisories/GHSA-54hq-v5wp-fqgv)
* [https://security.netapp.com/advisory/ntap-20230517-0001/](https://security.netapp.com/advisory/ntap-20230517-0001/)

high  In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down. 

* [https://github.com/php/php-src/security/advisories/GHSA-3qrf-m4j2-pcrr](https://github.com/php/php-src/security/advisories/GHSA-3qrf-m4j2-pcrr)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7NBF77WN6DTVTY2RE73IGPYD6M4PIAWA/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7NBF77WN6DTVTY2RE73IGPYD6M4PIAWA/)
* [https://security.netapp.com/advisory/ntap-20230825-0001/](https://security.netapp.com/advisory/ntap-20230825-0001/)
* [https://lists.debian.org/debian-lts-announce/2023/09/msg00002.html](https://lists.debian.org/debian-lts-announce/2023/09/msg00002.html)

high  In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, due to an error in convert.quoted-printable-decode filter certain data can lead to buffer overread by one byte, which can in certain circumstances lead to crashes or disclose content of other memory areas.

* [https://github.com/php/php-src/security/advisories/GHSA-r977-prxv-hc43](https://github.com/php/php-src/security/advisories/GHSA-r977-prxv-hc43)

high  In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user.

* [https://github.com/php/php-src/security/advisories/GHSA-c5f2-jwm7-mmq2](https://github.com/php/php-src/security/advisories/GHSA-c5f2-jwm7-mmq2)

high  In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.

* [https://github.com/php/php-src/security/advisories/GHSA-9fcc-425m-g385](https://github.com/php/php-src/security/advisories/GHSA-9fcc-425m-g385)
* [http://www.openwall.com/lists/oss-security/2024/06/07/1](http://www.openwall.com/lists/oss-security/2024/06/07/1)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/)

high  In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may prevent certain headers from being sent or lead to certain headers be misinterpreted.

* [https://github.com/php/php-src/security/advisories/GHSA-hgf5-96fm-v528](https://github.com/php/php-src/security/advisories/GHSA-hgf5-96fm-v528)
* [https://security.netapp.com/advisory/ntap-20250523-0006/](https://security.netapp.com/advisory/ntap-20250523-0006/)

medium  The parse_str function in (1) PHP, (2) Hardened-PHP, and (3) Suhosin, when called without a second parameter, might allow remote attackers to overwrite arbitrary variables by specifying variable names and values in the string to be parsed. NOTE: it is not clear whether this is a design limitation of the function or a bug in PHP, although it is likely to be regarded as a bug in Hardened-PHP and Suhosin.

Versions affectées : 4.4.0|4.4.7,5.0.0|5.0.5,5.1.0|5.1.6,5.2.0|5.2.2
Versions patchées :
* [http://www.acid-root.new.fr/advisories/14070612.txt](http://www.acid-root.new.fr/advisories/14070612.txt)
* [http://securityreason.com/securityalert/2800](http://securityreason.com/securityalert/2800)
* [http://osvdb.org/39834](http://osvdb.org/39834)
* [https://exchange.xforce.ibmcloud.com/vulnerabilities/34836](https://exchange.xforce.ibmcloud.com/vulnerabilities/34836)
* [http://www.securityfocus.com/archive/1/471275/100/0/threaded](http://www.securityfocus.com/archive/1/471275/100/0/threaded)
* [http://www.securityfocus.com/archive/1/471204/100/0/threaded](http://www.securityfocus.com/archive/1/471204/100/0/threaded)
* [http://www.securityfocus.com/archive/1/471178/100/0/threaded](http://www.securityfocus.com/archive/1/471178/100/0/threaded)

medium  In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid. 

* [https://github.com/php/php-src/security/advisories/GHSA-7fj2-8x79-rjf4](https://github.com/php/php-src/security/advisories/GHSA-7fj2-8x79-rjf4)
* [https://bugs.php.net/bug.php?id=81744](https://bugs.php.net/bug.php?id=81744)

medium  In PHP versions 8.0.* before 8.0.29, 8.1.* before 8.1.20, 8.2.* before 8.2.7 when using SOAP HTTP Digest Authentication, random value generator was not checked for failure, and was using narrower range of values than it should have. In case of random generator failure, it could lead to a disclosure of 31 bits of uninitialized memory from the client to the server, and it also made easier to a malicious server to guess the client's nonce. 

* [https://github.com/php/php-src/security/advisories/GHSA-76gg-c692-v2mw](https://github.com/php/php-src/security/advisories/GHSA-76gg-c692-v2mw)

medium  The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable. PHP Windows builds for the versions 8.1.29, 8.2.20 and 8.3.8 and above include OpenSSL patches that fix the vulnerability.

* [https://github.com/php/php-src/security/advisories/GHSA-hh26-4ppw-5864](https://github.com/php/php-src/security/advisories/GHSA-hh26-4ppw-5864)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/)

medium  In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly.

* [https://github.com/php/php-src/security/advisories/GHSA-w8qr-v226-r27w](https://github.com/php/php-src/security/advisories/GHSA-w8qr-v226-r27w)
* [http://www.openwall.com/lists/oss-security/2024/06/07/1](http://www.openwall.com/lists/oss-security/2024/06/07/1)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/)
* [https://lists.debian.org/debian-lts-announce/2024/06/msg00009.html](https://lists.debian.org/debian-lts-announce/2024/06/msg00009.html)

medium  In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations.

Versions affectées : 8.1.0|8.1.31,8.2.0|8.2.27,8.3.0|8.3.18,8.4.0|8.4.4
Versions patchées :
* [https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc](https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc)
* [https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc](https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc)

medium  In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.

* [https://github.com/php/php-src/security/advisories/GHSA-pcmh-g36c-qc44](https://github.com/php/php-src/security/advisories/GHSA-pcmh-g36c-qc44)
* [https://security.netapp.com/advisory/ntap-20250523-0009/](https://security.netapp.com/advisory/ntap-20250523-0009/)

low  In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when http request module parses HTTP response obtained from a server, folded headers are parsed incorrectly, which may lead to misinterpreting the response and using incorrect headers, MIME types, etc.

Versions affectées : 8.1.0|8.1.31,8.2.0|8.2.27,8.3.0|8.3.18,8.4.0|8.4.4
Versions patchées :
* [https://github.com/php/php-src/security/advisories/GHSA-v8xr-gpvj-cx9g](https://github.com/php/php-src/security/advisories/GHSA-v8xr-gpvj-cx9g)
* [https://github.com/php/php-src/security/advisories/GHSA-v8xr-gpvj-cx9g](https://github.com/php/php-src/security/advisories/GHSA-v8xr-gpvj-cx9g)

unassigned  In PHP versions 8.0.* before 8.0.27, 8.1.* before 8.1.15, 8.2.* before 8.2.2 when using PDO::quote() function to quote user-supplied data for SQLite, supplying an overly long string may cause the driver to incorrectly quote the data, which may further lead to SQL injection vulnerabilities.

* [https://bugs.php.net/bug.php?id=81740](https://bugs.php.net/bug.php?id=81740)
* [https://bugs.php.net/bug.php?id=81740](https://bugs.php.net/bug.php?id=81740)
* [https://security.netapp.com/advisory/ntap-20230223-0007/](https://security.netapp.com/advisory/ntap-20230223-0007/)

unassigned  In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.

* [http://www.openwall.com/lists/oss-security/2024/04/12/11](http://www.openwall.com/lists/oss-security/2024/04/12/11)
* [http://www.openwall.com/lists/oss-security/2024/04/12/11](http://www.openwall.com/lists/oss-security/2024/04/12/11)
* [http://www.openwall.com/lists/oss-security/2024/06/07/1](http://www.openwall.com/lists/oss-security/2024/06/07/1)
* [http://www.openwall.com/lists/oss-security/2024/06/07/1](http://www.openwall.com/lists/oss-security/2024/06/07/1)
* [https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7](https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7)
* [https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7](https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/)
* [https://security.netapp.com/advisory/ntap-20240510-0009/](https://security.netapp.com/advisory/ntap-20240510-0009/)
* [https://security.netapp.com/advisory/ntap-20240510-0009/](https://security.netapp.com/advisory/ntap-20240510-0009/)
* [https://www.vicarius.io/vsociety/posts/command-injection-vulnerability-in-php-on-windows-systems-cve-2024-1874-and-cve-2024-5585](https://www.vicarius.io/vsociety/posts/command-injection-vulnerability-in-php-on-windows-systems-cve-2024-1874-and-cve-2024-5585)

unassigned  In PHP  version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.

* [http://www.openwall.com/lists/oss-security/2024/04/12/11](http://www.openwall.com/lists/oss-security/2024/04/12/11)
* [http://www.openwall.com/lists/oss-security/2024/04/12/11](http://www.openwall.com/lists/oss-security/2024/04/12/11)
* [https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr](https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr)
* [https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr](https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr)
* [https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html](https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html)
* [https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html](https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html)
* [https://security.netapp.com/advisory/ntap-20240510-0010/](https://security.netapp.com/advisory/ntap-20240510-0010/)
* [https://security.netapp.com/advisory/ntap-20240510-0010/](https://security.netapp.com/advisory/ntap-20240510-0010/)

unassigned  A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.

* [https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/](https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/)
* [https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/](https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/)
* [https://kb.cert.org/vuls/id/123335](https://kb.cert.org/vuls/id/123335)
* [https://kb.cert.org/vuls/id/123335](https://kb.cert.org/vuls/id/123335)
* [https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way](https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way)
* [https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way](https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way)
* [https://www.cve.org/CVERecord?id=CVE-2024-1874](https://www.cve.org/CVERecord?id=CVE-2024-1874)
* [https://www.cve.org/CVERecord?id=CVE-2024-1874](https://www.cve.org/CVERecord?id=CVE-2024-1874)
* [https://www.cve.org/CVERecord?id=CVE-2024-22423](https://www.cve.org/CVERecord?id=CVE-2024-22423)
* [https://www.cve.org/CVERecord?id=CVE-2024-22423](https://www.cve.org/CVERecord?id=CVE-2024-22423)
* [https://www.cve.org/CVERecord?id=CVE-2024-24576](https://www.cve.org/CVERecord?id=CVE-2024-24576)
* [https://www.cve.org/CVERecord?id=CVE-2024-24576](https://www.cve.org/CVERecord?id=CVE-2024-24576)
* [https://www.kb.cert.org/vuls/id/123335](https://www.kb.cert.org/vuls/id/123335)
* [https://www.kb.cert.org/vuls/id/123335](https://www.kb.cert.org/vuls/id/123335)

unassigned  In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, a hostile MySQL server can cause the client to disclose the content of its heap containing data from other SQL requests and possible other data belonging to different users of the same server.

* [https://github.com/php/php-src/security/advisories/GHSA-h35g-vwh6-m678](https://github.com/php/php-src/security/advisories/GHSA-h35g-vwh6-m678)
* [https://security.netapp.com/advisory/ntap-20250110-0008/](https://security.netapp.com/advisory/ntap-20250110-0008/)

unassigned  In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.

* [https://github.com/php/php-src/security/advisories/GHSA-g665-fm4p-vhff](https://github.com/php/php-src/security/advisories/GHSA-g665-fm4p-vhff)
* [https://security.netapp.com/advisory/ntap-20250110-0009/](https://security.netapp.com/advisory/ntap-20250110-0009/)

critical  Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.

* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://security.netapp.com/advisory/ntap-20240712-0001/](https://security.netapp.com/advisory/ntap-20240712-0001/)

critical  Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://security.netapp.com/advisory/ntap-20240712-0001/](https://security.netapp.com/advisory/ntap-20240712-0001/)

high  HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.

* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://security.netapp.com/advisory/ntap-20240415-0013/](https://security.netapp.com/advisory/ntap-20240415-0013/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QKKDVFWBKIHCC3WXNH3W75WWY4NW42OB/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QKKDVFWBKIHCC3WXNH3W75WWY4NW42OB/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MIUBKSCJGPJ6M2U63V6BKFDF725ODLG7/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MIUBKSCJGPJ6M2U63V6BKFDF725ODLG7/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FO73U3SLBYFGIW2YKXOK7RI4D6DJSZ2B/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FO73U3SLBYFGIW2YKXOK7RI4D6DJSZ2B/)
* [http://www.openwall.com/lists/oss-security/2024/04/04/4](http://www.openwall.com/lists/oss-security/2024/04/04/4)
* [http://www.openwall.com/lists/oss-security/2024/04/03/16](http://www.openwall.com/lists/oss-security/2024/04/03/16)
* [https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html](https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html)

high  null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://security.netapp.com/advisory/ntap-20240712-0001/](https://security.netapp.com/advisory/ntap-20240712-0001/)

high  SSRF in Apache HTTP Server on Windows with mod_rewrite in server/vhost context, allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests. Users are recommended to upgrade to version 2.4.62 which fixes this issue. 

* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)

unassigned  Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects Apache HTTP Server: through 2.4.58.

* [http://seclists.org/fulldisclosure/2024/Jul/18](http://seclists.org/fulldisclosure/2024/Jul/18)
* [http://seclists.org/fulldisclosure/2024/Jul/18](http://seclists.org/fulldisclosure/2024/Jul/18)
* [http://www.openwall.com/lists/oss-security/2024/04/04/3](http://www.openwall.com/lists/oss-security/2024/04/04/3)
* [http://www.openwall.com/lists/oss-security/2024/04/04/3](http://www.openwall.com/lists/oss-security/2024/04/04/3)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html](https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html)
* [https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html](https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I2N2NZEX3MR64IWSGL3QGN7KSRUGAEMF/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I2N2NZEX3MR64IWSGL3QGN7KSRUGAEMF/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I2N2NZEX3MR64IWSGL3QGN7KSRUGAEMF/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I2N2NZEX3MR64IWSGL3QGN7KSRUGAEMF/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX5U34KYGDYPRH3AJ6MDDCBJDWDPXNVJ/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX5U34KYGDYPRH3AJ6MDDCBJDWDPXNVJ/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX5U34KYGDYPRH3AJ6MDDCBJDWDPXNVJ/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX5U34KYGDYPRH3AJ6MDDCBJDWDPXNVJ/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNV4SZAPVS43DZWNFU7XBYYOZEZMI4ZC/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNV4SZAPVS43DZWNFU7XBYYOZEZMI4ZC/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNV4SZAPVS43DZWNFU7XBYYOZEZMI4ZC/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNV4SZAPVS43DZWNFU7XBYYOZEZMI4ZC/)
* [https://security.netapp.com/advisory/ntap-20240415-0013/](https://security.netapp.com/advisory/ntap-20240415-0013/)
* [https://security.netapp.com/advisory/ntap-20240415-0013/](https://security.netapp.com/advisory/ntap-20240415-0013/)
* [https://support.apple.com/kb/HT214119](https://support.apple.com/kb/HT214119)
* [https://support.apple.com/kb/HT214119](https://support.apple.com/kb/HT214119)

unassigned  HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue.

* [http://seclists.org/fulldisclosure/2024/Jul/18](http://seclists.org/fulldisclosure/2024/Jul/18)
* [http://www.openwall.com/lists/oss-security/2024/04/04/5](http://www.openwall.com/lists/oss-security/2024/04/04/5)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html](https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html)
* [https://lists.debian.org/debian-lts-announce/2024/05/msg00014.html](https://lists.debian.org/debian-lts-announce/2024/05/msg00014.html)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I2N2NZEX3MR64IWSGL3QGN7KSRUGAEMF/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I2N2NZEX3MR64IWSGL3QGN7KSRUGAEMF/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX5U34KYGDYPRH3AJ6MDDCBJDWDPXNVJ/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX5U34KYGDYPRH3AJ6MDDCBJDWDPXNVJ/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNV4SZAPVS43DZWNFU7XBYYOZEZMI4ZC/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNV4SZAPVS43DZWNFU7XBYYOZEZMI4ZC/)
* [https://security.netapp.com/advisory/ntap-20240415-0013/](https://security.netapp.com/advisory/ntap-20240415-0013/)
* [https://support.apple.com/kb/HT214119](https://support.apple.com/kb/HT214119)

unassigned  SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.60 which fixes this issue.  Note: Existing configurations that access UNC paths will have to configure new directive "UNCList" to allow access during request processing.

* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://security.netapp.com/advisory/ntap-20240712-0001/](https://security.netapp.com/advisory/ntap-20240712-0001/)
* [http://www.openwall.com/lists/oss-security/2024/07/01/5](http://www.openwall.com/lists/oss-security/2024/07/01/5)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)

unassigned  Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://security.netapp.com/advisory/ntap-20240712-0001/](https://security.netapp.com/advisory/ntap-20240712-0001/)
* [https://security.netapp.com/advisory/ntap-20240712-0001/](https://security.netapp.com/advisory/ntap-20240712-0001/)
* [http://www.openwall.com/lists/oss-security/2024/07/01/6](http://www.openwall.com/lists/oss-security/2024/07/01/6)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)

unassigned  Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected.  Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.

* [http://www.openwall.com/lists/oss-security/2024/07/01/8](http://www.openwall.com/lists/oss-security/2024/07/01/8)
* [https://github.com/apache/httpd/commit/9a6157d1e2f7ab15963020381054b48782bc18cf](https://github.com/apache/httpd/commit/9a6157d1e2f7ab15963020381054b48782bc18cf)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://security.netapp.com/advisory/ntap-20240712-0001/](https://security.netapp.com/advisory/ntap-20240712-0001/)
* [https://security.netapp.com/advisory/ntap-20240712-0001/](https://security.netapp.com/advisory/ntap-20240712-0001/)
* [https://www.blackhat.com/us-24/briefings/schedule/index.html#confusion-attacks-exploiting-hidden-semantic-ambiguity-in-apache-http-server-pre-recorded-40227](https://www.blackhat.com/us-24/briefings/schedule/index.html#confusion-attacks-exploiting-hidden-semantic-ambiguity-in-apache-http-server-pre-recorded-40227)

unassigned  Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

* [http://www.openwall.com/lists/oss-security/2024/07/01/11](http://www.openwall.com/lists/oss-security/2024/07/01/11)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://security.netapp.com/advisory/ntap-20240712-0001/](https://security.netapp.com/advisory/ntap-20240712-0001/)
* [https://security.netapp.com/advisory/ntap-20240712-0001/](https://security.netapp.com/advisory/ntap-20240712-0001/)