// For flags

CVE-2024-9026

PHP-FPM logs from children may be altered

Severity Score

3.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.

A flaw was found in PHP-FPM, the FastCGI Process Manager. This vulnerability can allow an attacker to manipulate or remove up to 4 characters from log messages via crafted log content, potentially polluting or altering the final log. If PHP-FPM is configured to use syslog output, further log data manipulation is possible via the same vector.

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.

It was discovered that PHP incorrectly handled parsing multipart form data. A remote attacker could possibly use this issue to inject payloads and cause PHP to ignore legitimate data. It was discovered that PHP incorrectly handled the cgi.force_redirect configuration option due to environment variable collisions. In certain configurations, an attacker could possibly use this issue bypass force_redirect restrictions.

*Credits: Sébastien Rolland
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
Attack Vector
Local
Attack Complexity
Low
Authentication
Single
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
Poc
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-09-20 CVE Reserved
  • 2024-10-02 CVE Published
  • 2024-10-08 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-117: Improper Output Neutralization for Logs
  • CWE-158: Improper Neutralization of Null Byte or NUL Character
CAPEC
  • CAPEC-268: Audit Log Manipulation
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
PHP Group
Search vendor "PHP Group"
 PHP
Search vendor "PHP Group" for product "PHP"
 >= 8.1.0 < 8.1.30
Search vendor "PHP Group" for product "PHP" and version " >= 8.1.0 < 8.1.30"
en
Affected
PHP Group
Search vendor "PHP Group"
 PHP
Search vendor "PHP Group" for product "PHP"
 >= 8.2.0 < 8.2.24
Search vendor "PHP Group" for product "PHP" and version " >= 8.2.0 < 8.2.24"
en
Affected
PHP Group
Search vendor "PHP Group"
 PHP
Search vendor "PHP Group" for product "PHP"
 >= 8.3.0 < 8.3.12
Search vendor "PHP Group" for product "PHP" and version " >= 8.3.0 < 8.3.12"
en
Affected