CVE-2024-11233: 
PHP vulnerability analysis and mitigation

CVE-2024-11233 affects PHP versions 8.1. before 8.1.31, 8.2. before 8.2.26, and 8.3.* before 8.3.14. The vulnerability exists in the convert.quoted-printable-decode filter where certain data can lead to a buffer overread by one byte, potentially resulting in crashes or disclosure of content from other memory areas (NVD, PHP Advisory).

The vulnerability is caused by a missing bound check in PHP's filter handling system. When processing input with convert.quoted-printable-decode filters, the issue can trigger a segmentation fault detected by AddressSanitizer (ASAN). The vulnerability manifests as a read memory access violation, specifically a single byte overread condition. The CVSS v3.1 base scores vary between sources, with NVD rating it as 8.2 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H) and PHP Group rating it as 4.8 MEDIUM (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L) (PHP Advisory, NVD).

The vulnerability can lead to two primary impacts: system crashes resulting in denial of service (DoS) and potential disclosure of content from other memory areas. The issue affects any systems that use these filters in sequence, particularly those processing untrusted user input through php://filter (PHP Advisory).

The vulnerability has been patched in PHP versions 8.1.31, 8.2.26, and 8.3.14. Users should upgrade to these or later versions to mitigate the vulnerability (NVD).