CVE-2024-2757

Name
CVE-2024-2757
Description
In PHP 8.3.* before 8.3.5, function mb_encode_mimeheader() runs endlessly for some inputs that contain long strings of non-space characters followed by a space. This could lead to a potential DoS attack if a hostile user sends data to an application that uses this function.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
security@php.net https://github.com/php/php-src/security/advisories/GHSA-fjp9-9hwx-59fq
security@php.net http://www.openwall.com/lists/oss-security/2024/04/12/11
security@php.net https://security.netapp.com/advisory/ntap-20240510-0011/
af854a3a-2127-422b-91ae-364da2661108 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KJZK3X6B7FBE32FETDSMRLJXTFTHKWSY/

Match rules

CPE URI Source package Min version Max version
php >= 8.3.* < 8.3.5
cpe:2.3:a:php:php:*:*:*:*:*:*:*:* php >= 8.3.0 < 8.3.5

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
php83 edge-community 8.3.5-r0 Andy Postnikov <apostnikov@gmail.com> fixed
php83 3.22-community 8.3.5-r0 None fixed
php83 3.21-community 8.3.5-r0 None fixed
php83 3.20-community 8.3.5-r0 None fixed
php83 3.19-community 8.3.6-r0 Andy Postnikov <apostnikov@gmail.com> fixed