CVE-2024-2756: 
PHP vulnerability analysis and mitigation

CVE-2024-2756 is a security vulnerability in PHP applications discovered in early 2024. This vulnerability stems from an incomplete fix to CVE-2022-31629, where network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a Host- or Secure- cookie by PHP applications. The vulnerability affects PHP versions >8.1.11 and was patched in versions 8.1.28, 8.2.18, and 8.3.6 released in April 2024 (PHP Advisory).

The vulnerability is related to cookie handling in PHP applications where cookies starting with [Host- are incorrectly parsed as _Host- cookies. This security flaw received a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N, indicating network vector attack with low complexity requiring user interaction (NVD). The vulnerability is classified under CWE-20 (Improper Input Validation).

Successful exploitation of this vulnerability could lead to addition or modification of data in PHP applications. The vulnerability allows attackers to bypass security controls related to secure cookie handling, potentially leading to session hijacking or other cookie-based attacks (NetApp Advisory).

The primary mitigation is to upgrade to the patched versions: PHP 8.1.28, 8.2.18, or 8.3.6. Various vendors have released security updates addressing this vulnerability, including Debian which has fixed the issue in PHP 7.3.31-1~deb10u6 (Debian Advisory). No alternative workarounds have been publicly documented.

Multiple vendors and organizations have responded to this vulnerability by issuing security advisories and patches, including NetApp, Debian, and Ubuntu. The vulnerability was initially reported multiple times via email after the fix for CVE-2022-31629, but the messages were apparently lost, leading to delayed remediation (PHP Advisory).