CVE-2024-8926

Description

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for  CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3  may still be bypassed and the same command injection related to Windows "Best Fit" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

Affected packages (4)

• Bitnami/libphpfrom 0, < 8.1.30, >= 8.2.0, < 8.2.24, >= 8.3.0, < 8.3.12
• Bitnami/phpfrom 0, < 8.1.30, >= 8.2.0, < 8.2.24, >= 8.3.0, < 8.3.12
• Bitnami/php-minfrom 0, < 8.1.30, >= 8.2.0, < 8.2.24, >= 8.3.0, < 8.3.12
• Debian/php8.2from 0, < 8.2.24-1~deb12u1

CVSS scores

References (5)

• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2024-8926
• WEBhttps://github.com/advisories/GHSA-vxpp-6299-mxw3
• WEBhttps://github.com/php/php-src/security/advisories/GHSA-p99j-rfp4-xqvq
• WEBhttps://nvd.nist.gov/vuln/detail/CVE-2024-8926
• WEBhttps://security.netapp.com/advisory/ntap-20241101-0003/