A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow.

The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - oniguruma: integer overflow in search_in_range function in regexec.c leads to out-of-bounds read     (CVE-2019-19012)

  - php: phar Buffer mismanagement (CVE-2023-3824)

  - main/streams/xp_socket.c in PHP 7.x before 2017-03-07 misparses fsockopen calls, such as by interpreting     fsockopen('127.0.0.1:80', 443) as if the address/port were 127.0.0.1:80:443, which is later truncated to     127.0.0.1:80. This behavior has a security risk if the explicitly provided port number (i.e., 443 in this     example) is hardcoded into an application as a security policy, but the hostname argument (i.e.,     127.0.0.1:80 in this example) is obtained from untrusted input. (CVE-2017-7189)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote Redhat Enterprise Linux 9 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched.

  - php: potential buffer overflow in php_cli_server_startup_workers (CVE-2022-4900)

Note that Nessus has not tested for this issue but has instead relied on the package manager's report that the package is installed.

The remote Ubuntu 20.04 LTS / 22.04 LTS / 23.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6757-2 advisory.

  - A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large     value leads to a heap buffer overflow. (CVE-2022-4900)

  - Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and     same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a
    __Host- or __Secure- cookie by PHP applications. (CVE-2024-2756)

  - In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with     password_hash() starts with a null byte (\x00), testing a blank string as the password via     password_verify() will incorrectly return true. (CVE-2024-3096)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6757-1 advisory.

  - A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large     value leads to a heap buffer overflow. (CVE-2022-4900)

  - Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and     same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a
    __Host- or __Secure- cookie by PHP applications. (CVE-2024-2756)

  - In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with     password_hash() starts with a null byte (\x00), testing a blank string as the password via     password_verify() will incorrectly return true. (CVE-2024-3096)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of php installed on the remote host is prior to 8.0.24-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2PHP8.0-2024-010 advisory.

  - In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress     quines gzip files, resulting in an infinite loop. (CVE-2022-31628)

  - In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site     attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or     `__Secure-` cookie by PHP applications. (CVE-2022-31629)

  - A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large     value leads to a heap buffer overflow. (CVE-2022-4900)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2023:1847-1 advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2023:1846-1 advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote openSUSE 15 host has a package installed that is affected by a vulnerability as referenced in the SUSE- SU-2023:1583-1 advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:0848 advisory.

  - php: potential buffer overflow in php_cli_server_startup_workers (CVE-2022-4900)

  - php: phar: infinite loop when decompressing quine gzip file (CVE-2022-31628)

  - php: standard insecure cookie could be treated as a '__Host-' or '__Secure-' cookie by PHP applications     (CVE-2022-31629)

  - php: OOB read due to insufficient input validation in imageloadfont() (CVE-2022-31630)

  - php: PDO::quote() may return unquoted string due to an integer overflow (CVE-2022-31631)

  - XKCP: buffer overflow in the SHA-3 reference implementation (CVE-2022-37454)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
202269	RHEL 8 : php (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
198457	RHEL 9 : php (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	medium
194949	Ubuntu 20.04 LTS / 22.04 LTS / 23.10 : PHP vulnerabilities (USN-6757-2)	Nessus	Ubuntu Local Security Checks	medium
194504	Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS : PHP vulnerabilities (USN-6757-1)	Nessus	Ubuntu Local Security Checks	medium
190054	Amazon Linux 2 : php (ALASPHP8.0-2024-010)	Nessus	Amazon Linux Local Security Checks	medium
174379	SUSE SLES12 Security Update : php7 (SUSE-SU-2023:1847-1)	Nessus	SuSE Local Security Checks	medium
174378	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : php7 (SUSE-SU-2023:1846-1)	Nessus	SuSE Local Security Checks	medium
173446	openSUSE 15 Security Update : php7 (SUSE-SU-2023:1583-1)	Nessus	SuSE Local Security Checks	medium
171724	RHEL 8 : php:8.0 (RHSA-2023:0848)	Nessus	Red Hat Local Security Checks	critical

Detections

Analytics

CVE-2022-4900

medium

Tenable Plugins

critical

medium

medium

medium

medium

medium

medium

medium

critical