VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-du62-sx81-57cr

Essentials
Severities (93)
References (15)
Severity details (6)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-du62-sx81-57cr
Aliases	CVE-2024-9026
Summary	In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.
Status	Published
Exploitability	0.5
Weighted Severity	3.0
Risk	1.5
Affected and Fixed Packages	Package Details

Weaknesses (2)

CWE-117	Improper Output Neutralization for Logs
CWE-158	Improper Neutralization of Null Byte or NUL Character

System	Score	Found at
cvssv3	3.3	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-9026.json
epss	0.00013	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00013	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00014	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00014	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00014	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00014	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00016	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00016	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00016	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00016	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00016	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00016	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00016	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00016	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00016	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00016	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00016	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00016	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00016	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00016	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00016	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00018	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00018	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00021	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00021	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00021	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00042	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-9026
cvssv3.1	3.3	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1	3.3	https://github.com/php/php-src/security/advisories/GHSA-865w-9rf3-2wh5
ssvc	Track	https://github.com/php/php-src/security/advisories/GHSA-865w-9rf3-2wh5
cvssv3	3.3	https://nvd.nist.gov/vuln/detail/CVE-2024-9026
cvssv3.1	3.3	https://nvd.nist.gov/vuln/detail/CVE-2024-9026

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-9026.json
		https://api.first.org/data/v1/epss?cve=CVE-2024-9026
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9026
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
2317144		https://bugzilla.redhat.com/show_bug.cgi?id=2317144
cpe:2.3:a:php-fpm:php-fpm::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:php-fpm:php-fpm::::::::
CVE-2024-9026		https://nvd.nist.gov/vuln/detail/CVE-2024-9026
GHSA-865w-9rf3-2wh5		https://github.com/php/php-src/security/advisories/GHSA-865w-9rf3-2wh5
GLSA-202501-11		https://security.gentoo.org/glsa/202501-11
RHSA-2024:10949		https://access.redhat.com/errata/RHSA-2024:10949
RHSA-2024:10950		https://access.redhat.com/errata/RHSA-2024:10950
RHSA-2024:10951		https://access.redhat.com/errata/RHSA-2024:10951
RHSA-2024:10952		https://access.redhat.com/errata/RHSA-2024:10952
RHSA-2025:7315		https://access.redhat.com/errata/RHSA-2025:7315
USN-7049-1		https://usn.ubuntu.com/7049-1/

No exploits are available.

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-9026.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/php/php-src/security/advisories/GHSA-865w-9rf3-2wh5

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-08T12:47:58Z/ Found at https://github.com/php/php-src/security/advisories/GHSA-865w-9rf3-2wh5

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-9026

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-9026

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.01356
EPSS Score	0.00013
Published At	April 15, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2024-09-26T08:25:31.421913+00:00	Debian Importer	Import	https://security-tracker.debian.org/tracker/data/json	34.0.1