CVE-2024-8927: 
PHP vulnerability analysis and mitigation

CVE-2024-8927 affects PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, and 8.3.* before 8.3.12. The vulnerability relates to the HTTP_REDIRECT_STATUS variable used to check whether a CGI binary is being run by the HTTP server. This security flaw allows attackers to bypass the cgi.force_redirect configuration option through manipulation of HTTP headers (PHP Advisory).

The vulnerability exists in the PHP CGI implementation where both REDIRECT_STATUS and HTTP_REDIRECT_STATUS environment variables are considered valid while cgi.force_redirect is enabled. The security issue arises because the Redirect-Status header can be converted to the HTTP_REDIRECT_STATUS environment variable, allowing attackers to bypass the cgi.force_redirect restriction through HTTP headers. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (PHP Advisory).

While this vulnerability doesn't pose significant security risks in most common configurations, certain configurations that modify the SCRIPT_FILENAME environment variable may be vulnerable to arbitrary file inclusion in PHP. The primary impact is the potential bypass of security restrictions intended to prevent direct access to PHP CGI binaries (PHP Advisory, Security Online).

The vulnerability has been patched in PHP versions 8.1.30, 8.2.24, and 8.3.12. Users are strongly recommended to update their PHP installations to these patched versions immediately to address this security issue (Security Online).