{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-2756", "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "state": "PUBLISHED", "assignerShortName": "php", "dateReserved": "2024-03-21T05:10:24.594Z", "datePublished": "2024-04-29T03:34:16.912Z", "dateUpdated": "2024-08-01T19:25:41.700Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "PHP", "vendor": "PHP Group", "versions": [{"lessThan": "8.1.28", "status": "affected", "version": "8.1.*", "versionType": "semver"}, {"lessThan": "8.2.18", "status": "affected", "version": "8.2.*", "versionType": "semver"}, {"lessThan": "8.3.5", "status": "affected", "version": "8.3.*", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Marco Squarcina"}], "datePublic": "2024-04-11T17:12:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Due to an incomplete fix to </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/advisories/GHSA-c43m-486j-j32p\">CVE-2022-31629</a><span style=\"background-color: rgb(255, 255, 255);\">, network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a </span><code>__Host-</code><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;or </span><code>__Secure-</code><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;cookie by PHP applications.&nbsp;</span><br>"}], "value": "Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host-\u00a0or __Secure-\u00a0cookie by PHP applications.\u00a0\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "shortName": "php", "dateUpdated": "2024-04-29T03:34:16.912Z"}, "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-wpj3-hf5j-x4v4"}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/12/11"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html"}, {"url": "https://security.netapp.com/advisory/ntap-20240510-0008/"}], "source": {"advisory": "https://github.com/php/php-src/security/advisories/GHSA-wpj3-hf5", "discovery": "EXTERNAL"}, "title": "__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-2756", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-29T17:19:19.916680Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:php:archive_tar:*:*:*:*:*:*:*:*"], "vendor": "php", "product": "archive_tar", "versions": [{"status": "affected", "version": "*"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:30:06.555Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:25:41.700Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-wpj3-hf5j-x4v4", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/12/11", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240510-0008/", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-wpj3-hf5j-x4v4", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/12/11", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240510-0008/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:25:41.700Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-2756", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-29T17:19:19.916680Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:php:archive_tar:*:*:*:*:*:*:*:*"], "vendor": "php", "product": "archive_tar", "versions": [{"status": "affected", "version": "*"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-29T17:20:36.917Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix", "source": {"advisory": "https://github.com/php/php-src/security/advisories/GHSA-wpj3-hf5", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Marco Squarcina"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "PHP Group", "product": "PHP", "versions": [{"status": "affected", "version": "8.1.*", "lessThan": "8.1.28", "versionType": "semver"}, {"status": "affected", "version": "8.2.*", "lessThan": "8.2.18", "versionType": "semver"}, {"status": "affected", "version": "8.3.*", "lessThan": "8.3.5", "versionType": "semver"}], "defaultStatus": "affected"}], "datePublic": "2024-04-11T17:12:00.000Z", "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-wpj3-hf5j-x4v4"}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/12/11"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html"}, {"url": "https://security.netapp.com/advisory/ntap-20240510-0008/"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host-\u00a0or __Secure-\u00a0cookie by PHP applications.\u00a0\n", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Due to an incomplete fix to </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/advisories/GHSA-c43m-486j-j32p\">CVE-2022-31629</a><span style=\"background-color: rgb(255, 255, 255);\">, network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a </span><code>__Host-</code><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;or </span><code>__Secure-</code><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;cookie by PHP applications.&nbsp;</span><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "shortName": "php", "dateUpdated": "2024-04-29T03:34:16.912Z"}}}, "cveMetadata": {"cveId": "CVE-2024-2756", "state": "PUBLISHED", "dateUpdated": "2024-08-01T19:25:41.700Z", "dateReserved": "2024-03-21T05:10:24.594Z", "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "datePublished": "2024-04-29T03:34:16.912Z", "assignerShortName": "php"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host-\u00a0or __Secure-\u00a0cookie by PHP applications.\u00a0\n"}, {"lang": "es", "value": "Debido a una soluci\u00f3n incompleta de CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p, los atacantes de la red y del mismo sitio pueden establecer una cookie est\u00e1ndar insegura en el navegador de la v\u00edctima que se trata como una __Host- o __Secure- cookie por aplicaciones PHP."}], "id": "CVE-2024-2756", "lastModified": "2024-06-10T18:15:30.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@php.net", "type": "Secondary"}]}, "published": "2024-04-29T04:15:07.890", "references": [{"source": "security@php.net", "url": "http://www.openwall.com/lists/oss-security/2024/04/12/11"}, {"source": "security@php.net", "url": "https://github.com/php/php-src/security/advisories/GHSA-wpj3-hf5j-x4v4"}, {"source": "security@php.net", "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html"}, {"source": "security@php.net", "url": "https://security.netapp.com/advisory/ntap-20240510-0008/"}], "sourceIdentifier": "security@php.net", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security@php.net", "type": "Secondary"}]}

{"bugzilla": {"description": "php: host/secure cookie bypass due to partial CVE-2022-31629 fix", "id": "2275058", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2275058"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-20", "details": ["Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host-\u00a0or __Secure-\u00a0cookie by PHP applications.\u00a0", "An improper input validation vulnerability was found in PHP. Due to an incomplete fix to CVE-2022-31629, network and same-site attackers can set a standard insecure cookie in the victim's browser."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-2756", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "php", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "php", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "php:7.4/php", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "php:8.0/php", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "php:8.2/php", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "php", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "php:8.1/php", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "php:8.2/php", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-04-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-2756\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-2756\nhttps://github.com/php/php-src/security/advisories/GHSA-wpj3-hf5j-x4v4"], "statement": "The vulnerability in PHP, where an insecure cookie is misinterpreted as a __Host- or __Secure- cookie due to the incomplete fix for CVE-2022-31629, poses a moderate severity risk. While it allows attackers to set cookies with misleading prefixes, bypassing some cookie security measures, it does not directly enable remote code execution or escalate privileges. However, it can facilitate session hijacking or unauthorized access to certain web applications, potentially compromising user data or functionality. Additionally, its impact is limited to PHP applications that rely on cookie prefixes for security, which reduces its overall severity compared to more important vulnerabilities.", "threat_severity": "Moderate", "upstream_fix": "php 8.1.28, php 8.2.18, php 8.3.6"}