Bug 2328523 (CVE-2024-11234) - CVE-2024-11234 php: Configuring a proxy in a stream context might allow for CRLF injection in URIs
Summary: CVE-2024-11234 php: Configuring a proxy in a stream context might allow for C...
Keywords:
Status: NEW
Alias: CVE-2024-11234
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2328613 2328614 2328615
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-11-24 02:01 UTC by OSIDB Bzimport
Modified: 2025-04-15 01:38 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2024-11-24 02:01:12 UTC
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user.


Note You need to log in before you can comment on or make changes to this bug.