Potential Security Vulnerability in PHP Streams with Configured Proxy and 'request_fulluri' Option
CVE-2024-11234

7.2HIGH

Key Information:

Vendor: PHP
Status: PHP
Vendor: CVE Published:; 24 November 2024

What is CVE-2024-11234?

The vulnerability presents a scenario in specific PHP versions where improper sanitization of the URI occurs when configured to use streams with a proxy and the 'request_fulluri' option. This flaw enables an attacker to manipulate HTTP requests, potentially performing arbitrary requests through the proxy and accessing internal resources not intended to be exposed externally. Organizations relying on affected PHP versions should assess their risk and apply necessary mitigations.

References

https://github.com/php/php-src/security/advisories/GHSA-c...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 24, 2024