Search for packages
Package details: pkg:deb/debian/php7.4@7.4.33-1%2Bdeb11u5
purl pkg:deb/debian/php7.4@7.4.33-1%2Bdeb11u5
Next non-vulnerable version None.
Latest non-vulnerable version None.
Risk 4.4
Vulnerabilities affecting this package (15)
Vulnerability Summary Fixed by
VCID-1het-59gj-pyew
Aliases:
CVE-2024-11233
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, due to an error in convert.quoted-printable-decode filter certain data can lead to buffer overread by one byte, which can in certain circumstances lead to crashes or disclose content of other memory areas. There are no reported fixed by versions.
VCID-38d8-12uy-aaak
Aliases:
CVE-2024-5458
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly. There are no reported fixed by versions.
VCID-8uqv-nq5h-cqhx
Aliases:
CVE-2025-1217
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when http request module parses HTTP response obtained from a server, folded headers are parsed incorrectly, which may lead to misinterpreting the response and using incorrect headers, MIME types, etc. There are no reported fixed by versions.
VCID-8x6t-aw8t-aygp
Aliases:
CVE-2025-1736
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may prevent certain headers from being sent or lead to certain headers be misinterpreted. There are no reported fixed by versions.
VCID-du62-sx81-57cr
Aliases:
CVE-2024-9026
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability. There are no reported fixed by versions.
VCID-e7hs-zsy9-6ug1
Aliases:
CVE-2024-8925
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could lead to legitimate data not being processed. This could lead to malicious attacker able to control part of the submitted data being able to exclude portion of other data, potentially leading to erroneous application behavior. There are no reported fixed by versions.
VCID-gn4h-spq4-bqbd
Aliases:
CVE-2024-8929
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, a hostile MySQL server can cause the client to disclose the content of its heap containing data from other SQL requests and possible other data belonging to different users of the same server. There are no reported fixed by versions.
VCID-gtbz-jt4m-z7c7
Aliases:
CVE-2025-1861
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location. There are no reported fixed by versions.
VCID-hpde-dwsr-aaae
Aliases:
CVE-2022-4900
potential buffer overflow in php_cli_server_startup_workers There are no reported fixed by versions.
VCID-jn31-rnxj-w3gm
Aliases:
CVE-2024-8932
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write. There are no reported fixed by versions.
VCID-muka-dudd-8qe9
Aliases:
CVE-2025-1734
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers. There are no reported fixed by versions.
VCID-n8ga-f59j-33dg
Aliases:
CVE-2024-11234
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user. There are no reported fixed by versions.
VCID-y321-tcam-sybr
Aliases:
CVE-2024-8927
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead to cgi.force_redirect option not being correctly applied. In certain configurations this may lead to arbitrary file inclusion in PHP. There are no reported fixed by versions.
VCID-yunq-j1p5-ybcp
Aliases:
CVE-2024-11236
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write. There are no reported fixed by versions.
VCID-ywy9-pqkm-wbad
Aliases:
CVE-2025-1219
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations. There are no reported fixed by versions.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2025-04-13T03:23:33.884061+00:00 Debian Oval Importer Affected by VCID-ywy9-pqkm-wbad https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 36.0.0
2025-04-13T03:16:09.435270+00:00 Debian Oval Importer Affected by VCID-8x6t-aw8t-aygp https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 36.0.0
2025-04-13T03:13:27.255107+00:00 Debian Oval Importer Affected by VCID-gtbz-jt4m-z7c7 https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 36.0.0
2025-04-13T03:02:46.262565+00:00 Debian Oval Importer Affected by VCID-8uqv-nq5h-cqhx https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 36.0.0
2025-04-13T02:52:31.755188+00:00 Debian Oval Importer Affected by VCID-muka-dudd-8qe9 https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 36.0.0
2025-04-13T02:28:11.637252+00:00 Debian Oval Importer Affected by VCID-jn31-rnxj-w3gm https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 36.0.0
2025-04-13T02:28:01.826471+00:00 Debian Oval Importer Affected by VCID-1het-59gj-pyew https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 36.0.0
2025-04-13T02:27:56.690497+00:00 Debian Oval Importer Affected by VCID-gn4h-spq4-bqbd https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 36.0.0
2025-04-13T02:27:48.706414+00:00 Debian Oval Importer Affected by VCID-n8ga-f59j-33dg https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 36.0.0
2025-04-13T02:27:47.355535+00:00 Debian Oval Importer Affected by VCID-yunq-j1p5-ybcp https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 36.0.0
2025-04-13T02:11:46.318781+00:00 Debian Oval Importer Affected by VCID-du62-sx81-57cr https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 36.0.0
2025-04-13T02:11:44.896858+00:00 Debian Oval Importer Affected by VCID-e7hs-zsy9-6ug1 https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 36.0.0
2025-04-13T02:11:44.193812+00:00 Debian Oval Importer Affected by VCID-y321-tcam-sybr https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 36.0.0
2025-04-13T02:11:43.537134+00:00 Debian Oval Importer Affected by VCID-38d8-12uy-aaak https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 36.0.0
2025-04-13T02:11:42.862260+00:00 Debian Oval Importer Affected by VCID-hpde-dwsr-aaae https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 36.0.0