Vulnerability CVE-2024-2756: Information

Description

Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications. 

URL: https://nvd.nist.gov/vuln/detail/CVE-2024-2756
Published: April 29, 2024
Modified: May 8, 2024

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
php8.1sisyphus8.1.28-alt18.1.28-alt1ALT-PU-2024-6496-1345012Fixed
php8.1sisyphus_e2k8.1.28-alt18.1.28-alt1ALT-PU-2024-6556-1-Fixed
php8.1sisyphus_riscv648.1.28-alt18.1.28-alt1ALT-PU-2024-6616-1-Fixed
php8.1sisyphus_loongarch648.1.28-alt18.1.28-alt1ALT-PU-2024-6561-1-Fixed
php8.1p108.1.28-alt18.1.28-alt1ALT-PU-2024-6566-2345136Fixed
php8.1p10_e2k8.1.28-alt18.1.28-alt1ALT-PU-2024-6738-1-Fixed
php8.1c10f18.1.28-alt18.1.28-alt1ALT-PU-2024-6670-2345138Fixed
php8.2sisyphus8.2.18-alt18.2.19-alt1ALT-PU-2024-6444-1345013Fixed
php8.2sisyphus_e2k8.2.18-alt18.2.18-alt1ALT-PU-2024-6557-1-Fixed
php8.2sisyphus_riscv648.2.18-alt18.2.19-alt1ALT-PU-2024-6618-1-Fixed
php8.2sisyphus_loongarch648.2.18-alt18.2.19-alt1ALT-PU-2024-6563-1-Fixed
php8.2p108.2.18-alt18.2.19-alt1ALT-PU-2024-6501-2345089Fixed
php8.2p10_e2k8.2.18-alt18.2.18-alt1ALT-PU-2024-6789-1-Fixed
php8.3sisyphus8.3.6-alt18.3.7-alt1ALT-PU-2024-6442-1344089Fixed
php8.3sisyphus_e2k8.3.6-alt18.3.6-alt1ALT-PU-2024-6553-1-Fixed
php8.3sisyphus_riscv648.3.6-alt18.3.7-alt1ALT-PU-2024-6517-1-Fixed
php8.3sisyphus_loongarch648.3.6-alt18.3.7-alt1ALT-PU-2024-6559-1-Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/php/php-src/security/advisories/GHSA-wpj3-hf5j-x4v4
    http://www.openwall.com/lists/oss-security/2024/04/12/11
      https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html
        VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
        Version: v24.5.1
        Back to top