The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable.
PHP Windows builds for the versions 8.1.29, 8.2.20 and 8.3.8 and above include OpenSSL patches that fix the vulnerability.
References
Configurations
History
21 Nov 2024, 09:09
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/php/php-src/security/advisories/GHSA-hh26-4ppw-5864 - Exploit, Third Party Advisory | |
References | () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/ - Third Party Advisory | |
References | () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/ - |
13 Jun 2024, 04:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
12 Jun 2024, 17:07
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.9 |
CWE | CWE-203 | |
First Time |
Php
Fedoraproject Php php Fedoraproject fedora |
|
References | () https://github.com/php/php-src/security/advisories/GHSA-hh26-4ppw-5864 - Exploit, Third Party Advisory | |
References | () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/ - Third Party Advisory | |
CPE | cpe:2.3:a:php:php:*:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:* |
12 Jun 2024, 02:15
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
|
References |
|
09 Jun 2024, 20:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-06-09 20:15
Updated : 2024-11-21 09:09
NVD link : CVE-2024-2408
Mitre link : CVE-2024-2408
CVE.ORG link : CVE-2024-2408
JSON object : View
Products Affected
php
- php
fedoraproject
- fedora
CWE
CWE-203
Observable Discrepancy