{"id":"AZL-42424","summary":"CVE-2024-4577 affecting package php for versions less than 8.1.29-1","details":"In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use \"Best-Fit\" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.","modified":"2026-04-01T05:14:34.443197Z","published":"2024-06-09T20:15:09Z","upstream":["CVE-2024-4577"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-4577"}],"affected":[{"package":{"name":"php","ecosystem":"Azure Linux:2","purl":"pkg:rpm/azure-linux/php"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"8.1.29-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-42424.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}