5.8
MEDIUM
CVE-2024-8929
MySQL Heap Data Exposure in PHP
Description

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, a hostile MySQL server can cause the client to disclose the content of its heap containing data from other SQL requests and possible other data belonging to different users of the same server.

INFO

Published Date :

Nov. 22, 2024, 7:15 a.m.

Last Modified :

Nov. 22, 2024, 7:15 a.m.

Source :

[email protected]

Remotely Exploitable :

No

Impact Score :

4.0

Exploitability Score :

1.3
Affected Products

The following products are affected by CVE-2024-8929 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Php php
: Total Affected Vendor : 1 | Products : 1
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2024-8929.

URL Resource
https://github.com/php/php-src/security/advisories/GHSA-h35g-vwh6-m678

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-8929 vulnerability anywhere in the article.

  • Cybersecurity News
DigiEver DVR Vulnerability Under Attack by Hail Cock Botnet

Akamai Security Intelligence Research Team (SIRT) has uncovered a vulnerability in DigiEver DS-2105 Pro DVRs is being actively exploited by the Hail Cock botnet, a Mirai variant enhanced with modern e ... Read more

Published Date: Dec 23, 2024 (2 weeks, 1 day ago)
CVE-2024-12729 CVE-2024-12728 CVE-2024-12727 CVE-2024-11053 CVE-2024-55563 CVE-2024-8929 CVE-2024-8932 CVE-2024-7339 CVE-2024-21320 CVE-2023-1389 ...+1 more CVE
  • Cybersecurity News
CVE-2024-53677 (CVSS 9.5): Critical Vulnerability in Apache Struts Allows Remote Code Execution

Developers using the popular Apache Struts framework are urged to update their systems immediately following the discovery of a critical security flaw (CVE-2024-53677, CVSS 9.5) that could allow attac ... Read more

Published Date: Dec 12, 2024 (3 weeks, 5 days ago)
CVE-2024-53677 CVE-2024-11053 CVE-2024-55563 CVE-2024-8929 CVE-2024-8932 CVE-2024-47533 CVE-2023-50164
  • Cybersecurity News
Zloader Trojan Employs Novel DNS Tunneling Protocol for Enhanced Evasion

Zloader, the modular Trojan with roots in the infamous Zeus malware, has once again evolved, presenting a new and sophisticated challenge to cybersecurity professionals. ThreatLabz, the security resea ... Read more

Published Date: Dec 12, 2024 (3 weeks, 5 days ago)
CVE-2024-11053 CVE-2024-55563 CVE-2024-8929 CVE-2024-8932 CVE-2024-47533 CVE-2022-37969
  • Cybersecurity News
Artivion Discloses Cybersecurity Incident, Impacts Operations and Financial Outlook

Artivion, Inc., a global leader in the development and manufacturing of cardiovascular surgical devices, announced a cybersecurity incident that has disrupted its operations and compromised sensitive ... Read more

Published Date: Dec 11, 2024 (3 weeks, 6 days ago)
CVE-2024-11053 CVE-2024-55563 CVE-2024-8929 CVE-2024-8932 CVE-2024-47533 CVE-2023-20269
  • Cybersecurity News
QNAP Addresses High Severity Vulnerabilities in License Center and Operating Systems

QNAP, a leading provider of network-attached storage (NAS) solutions, has issued a security advisory addressing multiple vulnerabilities affecting its License Center and QTS/QuTS hero operating system ... Read more

Published Date: Dec 09, 2024 (4 weeks, 1 day ago)
CVE-2024-11053 CVE-2024-55563 CVE-2024-50403 CVE-2024-50402 CVE-2024-50393 CVE-2024-48868 CVE-2024-48867 CVE-2024-48866 CVE-2024-48865 CVE-2024-48863 ...+6 more CVE
  • Cybersecurity News
CVE-2024-10905 (CVSS 10): Critical Vulnerability in SailPoint IdentityIQ Exposes Sensitive Data

A critical vulnerability has been discovered in SailPoint IdentityIQ, a widely used identity and access management (IAM) platform. This flaw, tracked as CVE-2024-10905, has been assigned a CVSS score ... Read more

Published Date: Dec 05, 2024 (1 month ago)
CVE-2024-11053 CVE-2024-55563 CVE-2024-8785 CVE-2024-10905 CVE-2024-8929 CVE-2024-8932 CVE-2024-47533 CVE-2024-51378
  • Cybersecurity News
CVE-2024-51378 (CVSS 10): Critical CyberPanel Flaw Under Active Attack, CISA Warns

The Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in CyberPanel, an open-source web hosting control panel. This flaw, tracked as CVE-2024-51378, is ... Read more

Published Date: Dec 05, 2024 (1 month ago)
CVE-2024-11053 CVE-2024-55563 CVE-2024-8929 CVE-2024-8932 CVE-2024-47533 CVE-2024-51568 CVE-2024-51567 CVE-2024-51378
  • Cybersecurity News
PHP Patches Multi Flaws, Including CVE-2024-8932 (CVSS 9.8), Urges Immediate Update

The PHP development team has released urgent security updates to address multiple vulnerabilities affecting versions prior to 8.1.31, 8.2.26, and 8.3.14. These vulnerabilities range in severity, with ... Read more

Published Date: Nov 26, 2024 (1 month, 1 week ago)
CVE-2024-11233 CVE-2024-11236 CVE-2024-11234 CVE-2024-38645 CVE-2024-38643 CVE-2024-8929 CVE-2024-8932 CVE-2024-20536 CVE-2024-48074 CVE-2024-20424 ...+1 more CVE

The following table lists the changes that have been made to the CVE-2024-8929 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • New CVE Received by [email protected]

    Nov. 22, 2024

    Action Type Old Value New Value
    Added Description In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, a hostile MySQL server can cause the client to disclose the content of its heap containing data from other SQL requests and possible other data belonging to different users of the same server.
    Added CVSS V3.1 AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
    Added CWE CWE-200
    Added CWE CWE-125
    Added Reference https://github.com/php/php-src/security/advisories/GHSA-h35g-vwh6-m678
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2024-8929 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2024-8929 weaknesses.

CAPEC-540: Overread Buffers Overread Buffers CAPEC-13: Subverting Environment Variable Values Subverting Environment Variable Values CAPEC-22: Exploiting Trust in Client Exploiting Trust in Client CAPEC-59: Session Credential Falsification through Prediction Session Credential Falsification through Prediction CAPEC-60: Reusing Session IDs (aka Session Replay) Reusing Session IDs (aka Session Replay) CAPEC-79: Using Slashes in Alternate Encoding Using Slashes in Alternate Encoding CAPEC-116: Excavation Excavation CAPEC-169: Footprinting Footprinting CAPEC-224: Fingerprinting Fingerprinting CAPEC-285: ICMP Echo Request Ping ICMP Echo Request Ping CAPEC-287: TCP SYN Scan TCP SYN Scan CAPEC-290: Enumerate Mail Exchange (MX) Records Enumerate Mail Exchange (MX) Records CAPEC-291: DNS Zone Transfers DNS Zone Transfers CAPEC-292: Host Discovery Host Discovery CAPEC-293: Traceroute Route Enumeration Traceroute Route Enumeration CAPEC-294: ICMP Address Mask Request ICMP Address Mask Request CAPEC-295: Timestamp Request Timestamp Request CAPEC-296: ICMP Information Request ICMP Information Request CAPEC-297: TCP ACK Ping TCP ACK Ping CAPEC-298: UDP Ping UDP Ping CAPEC-299: TCP SYN Ping TCP SYN Ping CAPEC-300: Port Scanning Port Scanning CAPEC-301: TCP Connect Scan TCP Connect Scan CAPEC-302: TCP FIN Scan TCP FIN Scan CAPEC-303: TCP Xmas Scan TCP Xmas Scan CAPEC-304: TCP Null Scan TCP Null Scan CAPEC-305: TCP ACK Scan TCP ACK Scan CAPEC-306: TCP Window Scan TCP Window Scan CAPEC-307: TCP RPC Scan TCP RPC Scan CAPEC-308: UDP Scan UDP Scan CAPEC-309: Network Topology Mapping Network Topology Mapping CAPEC-310: Scanning for Vulnerable Software Scanning for Vulnerable Software CAPEC-312: Active OS Fingerprinting Active OS Fingerprinting CAPEC-313: Passive OS Fingerprinting Passive OS Fingerprinting CAPEC-317: IP ID Sequencing Probe IP ID Sequencing Probe CAPEC-318: IP 'ID' Echoed Byte-Order Probe IP 'ID' Echoed Byte-Order Probe CAPEC-319: IP (DF) 'Don't Fragment Bit' Echoing Probe IP (DF) 'Don't Fragment Bit' Echoing Probe CAPEC-320: TCP Timestamp Probe TCP Timestamp Probe CAPEC-321: TCP Sequence Number Probe TCP Sequence Number Probe CAPEC-322: TCP (ISN) Greatest Common Divisor Probe TCP (ISN) Greatest Common Divisor Probe CAPEC-323: TCP (ISN) Counter Rate Probe TCP (ISN) Counter Rate Probe CAPEC-324: TCP (ISN) Sequence Predictability Probe TCP (ISN) Sequence Predictability Probe CAPEC-325: TCP Congestion Control Flag (ECN) Probe TCP Congestion Control Flag (ECN) Probe CAPEC-326: TCP Initial Window Size Probe TCP Initial Window Size Probe CAPEC-327: TCP Options Probe TCP Options Probe CAPEC-328: TCP 'RST' Flag Checksum Probe TCP 'RST' Flag Checksum Probe CAPEC-329: ICMP Error Message Quoting Probe ICMP Error Message Quoting Probe CAPEC-330: ICMP Error Message Echoing Integrity Probe ICMP Error Message Echoing Integrity Probe CAPEC-472: Browser Fingerprinting Browser Fingerprinting CAPEC-497: File Discovery File Discovery CAPEC-508: Shoulder Surfing Shoulder Surfing CAPEC-573: Process Footprinting Process Footprinting CAPEC-574: Services Footprinting Services Footprinting CAPEC-575: Account Footprinting Account Footprinting CAPEC-576: Group Permission Footprinting Group Permission Footprinting CAPEC-577: Owner Footprinting Owner Footprinting CAPEC-616: Establish Rogue Location Establish Rogue Location CAPEC-643: Identify Shared Files/Directories on System Identify Shared Files/Directories on System CAPEC-646: Peripheral Footprinting Peripheral Footprinting CAPEC-651: Eavesdropping Eavesdropping
CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
: