CVE-2024-8929: 
PHP vulnerability analysis and mitigation

A vulnerability identified as CVE-2024-8929 affects PHP versions 8.1. before 8.1.31, 8.2. before 8.2.26, and 8.3.* before 8.3.14. The vulnerability was disclosed on November 21, 2024, and allows a hostile MySQL server to cause the client to disclose the content of its heap containing data from other SQL requests and possible other data belonging to different users of the same server (PHP Advisory).

The vulnerability exists in the PHP MySQL client library's function 'phpmysqlndrsetfieldread' when parsing MySQL fields packets. The issue allows an attacker to abuse the parsing of field packets by crafting specific packets that can trigger a heap buffer over-read condition. The vulnerability has been assigned a CVSS v3.1 base score of 5.8 (Medium) with the vector string CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N (PHP Advisory, NVD).

When successfully exploited, this vulnerability can lead to the disclosure of sensitive information, specifically the content of previous SQL query responses from the PHP-FPM worker's memory. This is particularly impactful in environments where PHP-FPM is used, as workers continue running between requests and retain contextual data (PHP Advisory).

The vulnerability has been patched in PHP versions 8.1.31, 8.2.26, and 8.3.14. Users are advised to upgrade to these or later versions to mitigate the risk (PHP Advisory).