CVE-2024-8932: OOB access in ldap_escape

9.8 CVSS

Description

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.

Classification

CVE ID: CVE-2024-8932

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.8

Affected Products

Vendor: PHP Group

Product: PHP

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.44% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://github.com/php/php-src/security/advisories/GHSA-g665-fm4p-vhff

Timeline

2024-11-28 00:12:01 UTC
CVE

OOB access in ldap_escape