CVE-2024-11233

Description

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, due to an error in convert.quoted-printable-decode filter certain data can lead to buffer overread by one byte, which can in certain circumstances lead to crashes or disclose content of other memory areas.

How to fix CVE-2024-11233

To remediate CVE-2024-11233, upgrade the affected package to a fixed version below.

• —upgrade to 8.1.31 or later
• —upgrade to 8.1.31 or later
• —upgrade to 8.1.31 or later
• —upgrade to 7.4.33-1+deb11u7 or later
• —upgrade to 7.4.33-1+deb11u7 or later
• —upgrade to 8.2.26-1~deb12u1 or later
• —upgrade to 8.2.26-1~deb12u1 or later

Is CVE-2024-11233 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (7)

• from 0, < 8.1.31, >= 8.2.0, < 8.2.26, >= 8.3.0, < 8.3.14
• from 0, < 8.1.31, >= 8.2.0, < 8.2.26, >= 8.3.0, < 8.3.14
• from 0, < 8.1.31, >= 8.2.0, < 8.2.26, >= 8.3.0, < 8.3.14
• from 0, < 7.4.33-1+deb11u7
• from 0, < 7.4.33-1+deb11u7
• from 0, < 8.2.26-1~deb12u1
• from 0, < 8.2.26-1~deb12u1

CVSS scores

References (5)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-11233
• WEBgithub.com/php/php-src/security/advisories/GHSA-r977-prxv-hc43
• WEBlists.debian.org/debian-lts-announce/2024/12/msg00007.html
• WEBnvd.nist.gov/vuln/detail/CVE-2024-11233