2328523 – (CVE-2024-11234) CVE-2024-11234 php: Configuring a proxy in a stream context might allow for CRLF injection in URIs

Bug 2328523 (CVE-2024-11234) - CVE-2024-11234 php: Configuring a proxy in a stream context might allow for CRLF injection in URIs

Summary: CVE-2024-11234 php: Configuring a proxy in a stream context might allow for C...

Keywords:
Status:	NEW
Alias:	CVE-2024-11234
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2328613 2328614 2328615
Blocks:
TreeView+	depends on / blocked

Reported:	2024-11-24 02:01 UTC by OSIDB Bzimport
Modified:	2025-04-15 01:38 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-11-24 02:01:12 UTC

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user.

Note You need to log in before you can comment on or make changes to this bug.