2317144 – (CVE-2024-9026) CVE-2024-9026 php: PHP-FPM Log Manipulation Vulnerability

Bug 2317144 (CVE-2024-9026) - CVE-2024-9026 php: PHP-FPM Log Manipulation Vulnerability

Summary: CVE-2024-9026 php: PHP-FPM Log Manipulation Vulnerability

Keywords:
Status:	NEW
Alias:	CVE-2024-9026
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-10-08 04:20 UTC by OSIDB Bzimport
Modified:	2024-11-13 12:05 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in PHP-FPM, the FastCGI Process Manager. This vulnerability can allow an attacker to manipulate or remove up to 4 characters from log messages via crafted log content, potentially polluting or altering the final log. If PHP-FPM is configured to use syslog output, further log data manipulation is possible via the same vector.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-10-08 04:20:31 UTC

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.

Note You need to log in before you can comment on or make changes to this bug.