SB2024060503 - Fedora 40 update for php
Published: June 5, 2024 Updated: March 18, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) OS Command Injection (CVE-ID: CVE-2024-4577)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in PHP-CGI implementation. A remote attacker can send specially crafted HTTP request to the application and execute arbitrary OS commands on the system.
2) Input validation error (CVE-ID: CVE-2024-5458)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input when parsing URL. A remote attacker can bypass the filter_var FILTER_VALIDATE_URL checks.
3) Observable discrepancy (CVE-ID: CVE-2024-2408)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to the openssl_private_decrypt function in PHP when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default) is vulnerable to the Marvin Attack. A remote attacker can gain access to sensitive information.
4) OS Command Injection (CVE-ID: CVE-2024-5585)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to insufficient fix for #VU88482 (CVE-2024-1874). A remote attacker can pass specially crafted input to the application and execute arbitrary OS commands on the target system.
Remediation
Install update from vendor's website.