CVE-2024-2756

Host/Secure cookie bypass due to partial CVE-2022-31629

Publication Date 2024-04-12
Severity Low
Type Cross-Site Request Forgery
Affected PHP Versions
  • 7.4.0 - 7.4.33
  • 8.0.0 - 8.0.30
  • 8.1.0 - 8.1.27
  • 8.2.0 - 8.2.17
  • 8.3.0 - 8.3.5
Fixed Product Versions
  • ZendPHP 7.3
  • ZendPHP 7.4
  • ZendPHP 8.0
  • ZendPHP 8.1
  • ZendPHP 8.2
  • ZendPHP 8.3
  • ZendServer 2019.1.6
  • ZendServer 2021.3.4

CVE Details

Due to an incomplete fix for CVE-2022-31629, network and same-site attackers can set a standard insecure cookie in the victim's browser, which is then treated as a __Host- or __Secure- cookie by PHP applications.

Recommendations

If you use Same-Site cookies, we recommend updating to a patched version of PHP.