The PHP development team has released patches to address multiple vulnerabilities affecting versions prior to 8.1.31, 8.2.26, and 8.3.14 potentially allowing attackers to leak sensitive information, execute arbitrary code, or launch denial-of-service attacks.
The first critical vulnerability tracked as CVE-2024-8932 with a CVSS score 9.8, allows for out-of-bounds (OOB) access in the ldap_escape function could enable attackers to execute arbitrary code on affected systems.
Another critical flaw, CVE-2024-8929 with a CVSS score of 5.8, allows attackers to leak partial content of the heap through a heap buffer over-read. This vulnerability can be exploited by connecting to a fake MySQL server or by tampering with network packets.
In addition to these critical vulnerabilities, the update also addresses several other issues, including:
- CVE-2024-11233: A single byte overread with the convert.quoted-printable-decode filter, potentially leading to information leakage or denial of service.
- CVE-2024-11236: An integer overflow in the Firebird and dblib quoters, potentially causing out-of-bounds writes.
- CVE-2024-11234: A CRLF injection vulnerability in stream contexts when configuring a proxy, potentially leading to HTTP request smuggling attacks.
Users of the affected versions are urged to update their PHP installations to the latest versions immediately. For detailed information on each vulnerability and mitigation strategies, refer to the advisory
