Bug 2328523 (CVE-2024-11234) - CVE-2024-11234 php: Configuring a proxy in a stream context might allow for CRLF injection in URIs
Summary: CVE-2024-11234 php: Configuring a proxy in a stream context might allow for C...
Keywords:
Status: NEW
Alias: CVE-2024-11234
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2328613 2328614 2328615
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-11-24 02:01 UTC by OSIDB Bzimport
Modified: 2025-05-13 11:57 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2025:4263 0 None None None 2025-04-28 15:14:55 UTC
Red Hat Product Errata RHSA-2025:7315 0 None None None 2025-05-13 10:35:46 UTC
Red Hat Product Errata RHSA-2025:7432 0 None None None 2025-05-13 11:57:05 UTC

Description OSIDB Bzimport 2024-11-24 02:01:12 UTC 
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user.
Comment 2 errata-xmlrpc 2025-04-28 15:14:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:4263 https://access.redhat.com/errata/RHSA-2025:4263
Comment 3 errata-xmlrpc 2025-05-13 10:35:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7315 https://access.redhat.com/errata/RHSA-2025:7315
Comment 4 errata-xmlrpc 2025-05-13 11:57:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7432 https://access.redhat.com/errata/RHSA-2025:7432
Note You need to log in before you can comment on or make changes to this bug.