CVE-2024-2756

CVE-2024-2756

Name

CVE-2024-2756

Description

Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
security@php.net	https://github.com/php/php-src/security/advisories/GHSA-wpj3-hf5j-x4v4
security@php.net	http://www.openwall.com/lists/oss-security/2024/04/12/11
security@php.net	https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html
	https://security.netapp.com/advisory/ntap-20240510-0008/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KJZK3X6B7FBE32FETDSMRLJXTFTHKWSY/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGWIK3HMBACERGB4TSBB2JUOMPYY2VKY/

Type

URI

security@php.net

https://github.com/php/php-src/security/advisories/GHSA-wpj3-hf5j-x4v4

security@php.net

http://www.openwall.com/lists/oss-security/2024/04/12/11

security@php.net

https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html

https://security.netapp.com/advisory/ntap-20240510-0008/

af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KJZK3X6B7FBE32FETDSMRLJXTFTHKWSY/

af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGWIK3HMBACERGB4TSBB2JUOMPYY2VKY/

Source package	Min version	Max version
php	>= 8.1.*	< 8.1.28
php	>= 8.2.*	< 8.2.18
php	>= 8.3.*	< 8.3.5

CPE URI

Source package

Min version

Max version

php

>= 8.1.*

< 8.1.28

php

>= 8.2.*

< 8.2.18

php

>= 8.3.*

< 8.3.5

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
php83	edge-community	8.3.5-r0	Andy Postnikov <apostnikov@gmail.com>	fixed
php83	3.22-community	8.3.5-r0	None	fixed
php83	3.21-community	8.3.5-r0	None	fixed
php83	3.20-community	8.3.5-r0	None	fixed
php83	3.19-community	8.3.6-r0	Andy Postnikov <apostnikov@gmail.com>	fixed
php82	edge-community	8.2.18-r0	Andy Postnikov <apostnikov@gmail.com>	fixed
php82	3.22-community	8.2.18-r0	None	fixed
php82	3.21-community	8.2.18-r0	None	fixed
php82	3.20-community	8.2.18-r0	None	fixed
php82	3.19-community	8.2.18-r0	Andy Postnikov <apostnikov@gmail.com>	fixed
php81	edge-community	8.1.28-r0	Andy Postnikov <apostnikov@gmail.com>	fixed
php81	3.19-community	8.1.28-r0	Andy Postnikov <apostnikov@gmail.com>	fixed

Source package

Branch

Version

Maintainer

Status

php83

edge-community

8.3.5-r0

Andy Postnikov <apostnikov@gmail.com>

fixed

php83

3.22-community