PHP-FPM Log Pollution in PHP 8.18.3 (before 8.3.12)
CVE-2024-9026 Published on October 8, 2024
PHP-FPM logs from children may be altered
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.
Vulnerability Analysis
CVE-2024-9026 is exploitable with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2024-9026. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Types
Improper Neutralization of Null Byte or NUL Character
The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component. As data is parsed, an injected NUL character or null byte may cause the software to believe the input is terminated earlier than it actually is, or otherwise cause the input to be misinterpreted. This could then be used to inject potentially dangerous input that occurs after the null byte or otherwise bypass validation routines and other protection mechanisms.
Improper Output Neutralization for Logs
The software does not neutralize or incorrectly neutralizes output that is written to logs.
Products Associated with CVE-2024-9026
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-9026 are published in these products:
Affected Versions
PHP Group PHP:- Version 8.1.* and below 8.1.30 is affected.
- Version 8.2.* and below 8.2.24 is affected.
- Version 8.3.* and below 8.3.12 is affected.
- Version 8.1.0 and below 8.1.30 is affected.
- Version 8.2.0 and below 8.2.24 is affected.
- Version 8.3.0 and below 8.3.12 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.