Site icon API Security Blog

SUSE SLES12 Security Update : php74 (SUSE-SU-2024:1445-1)

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:1445-1 advisory. Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications. (CVE-2024-2756) In PHP version 8.1. before 8.1.28, 8.2. before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (x00), testing a blank string as the password via password_verify() will incorrectly return true. (CVE-2024-3096) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version…Read More

Exit mobile version