CVE-2024-8929

Description

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, a hostile MySQL server can cause the client to disclose the content of its heap containing data from other SQL requests and possible other data belonging to different users of the same server.

How to fix CVE-2024-8929

To remediate CVE-2024-8929, upgrade the affected package to a fixed version below.

• —upgrade to 8.1.31 or later
• —upgrade to 8.1.31 or later
• —upgrade to 8.1.31 or later
• —upgrade to 7.4.33-1+deb11u7 or later
• —upgrade to 8.2.26-1~deb12u1 or later

Is CVE-2024-8929 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

• from 0, < 8.1.31, >= 8.2.0, < 8.2.24, >= 8.3.0, < 8.3.14
• from 0, < 8.1.31, >= 8.2.0, < 8.2.24, >= 8.3.0, < 8.3.14
• from 0, < 8.1.31, >= 8.2.0, < 8.2.24, >= 8.3.0, < 8.3.14
• from 0, < 7.4.33-1+deb11u7
• from 0, < 8.2.26-1~deb12u1

CVSS scores

References (5)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-8929
• WEBgithub.com/php/php-src/security/advisories/GHSA-h35g-vwh6-m678
• WEBlists.debian.org/debian-lts-announce/2024/12/msg00007.html
• WEBnvd.nist.gov/vuln/detail/CVE-2024-8929