DNA View

CVE-2024-2408

Medium

Low Medium High Critical

5.9

CVSS Score

Published: Jun 09, 2024

Last Modified: Mar 21, 2025

CWE: CWE-203

Vulnerability Description

The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable.

PHP Windows builds for the versions 8.1.29, 8.2.20 and 8.3.8 and above include OpenSSL patches that fix the vulnerability.

CVSS Metrics

Common Vulnerability Scoring System

Vector String:

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Known Affected Software

57 configuration(s) from 2 vendor(s)

fedora

Version:

CPE:

cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*

php

Version:

8.3.5

CPE:

cpe:2.3:a:php:php:8.3.5:-:*:*:*:*:*:*

php

Version:

8.1.25

CPE:

cpe:2.3:a:php:php:8.1.25:-:*:*:*:*:*:*

php

Version:

8.2.0

CPE:

cpe:2.3:a:php:php:8.2.0:-:*:*:*:*:*:*

php

Version:

8.1.12

CPE:

cpe:2.3:a:php:php:8.1.12:*:*:*:*:*:*:*

php

Version:

8.1.27

CPE:

cpe:2.3:a:php:php:8.1.27:-:*:*:*:*:*:*

php

Version:

8.2.5

CPE:

cpe:2.3:a:php:php:8.2.5:-:*:*:*:*:*:*

php

Version:

8.1.5

CPE:

cpe:2.3:a:php:php:8.1.5:rc1:*:*:*:*:*:*

php

Version:

8.2.14

CPE:

cpe:2.3:a:php:php:8.2.14:-:*:*:*:*:*:*

php

Version:

8.2.13

CPE:

cpe:2.3:a:php:php:8.2.13:-:*:*:*:*:*:*

php

Version:

8.1.21

CPE:

cpe:2.3:a:php:php:8.1.21:-:*:*:*:*:*:*

php

Version:

8.2.9

CPE:

cpe:2.3:a:php:php:8.2.9:-:*:*:*:*:*:*

php

Version:

8.1.23

CPE:

cpe:2.3:a:php:php:8.1.23:-:*:*:*:*:*:*

php

Version:

8.2.19

CPE:

cpe:2.3:a:php:php:8.2.19:-:*:*:*:*:*:*

php

Version:

8.3.0

CPE:

cpe:2.3:a:php:php:8.3.0:-:*:*:*:*:*:*

php

Version:

8.3.6

CPE:

cpe:2.3:a:php:php:8.3.6:-:*:*:*:*:*:*

php

Version:

8.3.1

CPE:

cpe:2.3:a:php:php:8.3.1:-:*:*:*:*:*:*

php

Version:

8.2.1

CPE:

cpe:2.3:a:php:php:8.2.1:-:*:*:*:*:*:*

php

Version:

8.1.7

CPE:

cpe:2.3:a:php:php:8.1.7:rc1:*:*:*:*:*:*

php

Version:

8.3.7

CPE:

cpe:2.3:a:php:php:8.3.7:-:*:*:*:*:*:*

php

Version:

8.1.1

CPE:

cpe:2.3:a:php:php:8.1.1:rc1:*:*:*:*:*:*

php

Version:

8.1.28

CPE:

cpe:2.3:a:php:php:8.1.28:-:*:*:*:*:*:*

php

Version:

8.1.15

CPE:

cpe:2.3:a:php:php:8.1.15:*:*:*:*:*:*:*

php

Version:

8.2.16

CPE:

cpe:2.3:a:php:php:8.2.16:-:*:*:*:*:*:*

php

Version:

8.1.4

CPE:

cpe:2.3:a:php:php:8.1.4:rc1:*:*:*:*:*:*

php

Version:

8.2.18

CPE:

cpe:2.3:a:php:php:8.2.18:-:*:*:*:*:*:*

php

Version:

8.2.10

CPE:

cpe:2.3:a:php:php:8.2.10:-:*:*:*:*:*:*

php

Version:

8.1.14

CPE:

cpe:2.3:a:php:php:8.1.14:*:*:*:*:*:*:*

php

Version:

8.2.11

CPE:

cpe:2.3:a:php:php:8.2.11:-:*:*:*:*:*:*

php

Version:

8.1.22

CPE:

cpe:2.3:a:php:php:8.1.22:rc1:*:*:*:*:*:*

php

Version:

8.1.17

CPE:

cpe:2.3:a:php:php:8.1.17:-:*:*:*:*:*:*

php

Version:

8.1.10

CPE:

cpe:2.3:a:php:php:8.1.10:*:*:*:*:*:*:*

php

Version:

8.2.2

CPE:

cpe:2.3:a:php:php:8.2.2:-:*:*:*:*:*:*

php

Version:

8.1.8

CPE:

cpe:2.3:a:php:php:8.1.8:*:*:*:*:*:*:*

php

Version:

8.2.17

CPE:

cpe:2.3:a:php:php:8.2.17:-:*:*:*:*:*:*

php

Version:

8.1.3

CPE:

cpe:2.3:a:php:php:8.1.3:rc1:*:*:*:*:*:*

php

Version:

8.1.13

CPE:

cpe:2.3:a:php:php:8.1.13:*:*:*:*:*:*:*

php

Version:

8.1.9

CPE:

cpe:2.3:a:php:php:8.1.9:*:*:*:*:*:*:*

php

Version:

8.1.0

CPE:

cpe:2.3:a:php:php:8.1.0:rc4:*:*:*:*:*:*

php

Version:

8.2.12

CPE:

cpe:2.3:a:php:php:8.2.12:-:*:*:*:*:*:*

php

Version:

8.2.7

CPE:

cpe:2.3:a:php:php:8.2.7:-:*:*:*:*:*:*

php

Version:

8.1.6

CPE:

cpe:2.3:a:php:php:8.1.6:rc1:*:*:*:*:*:*

php

Version:

8.2.3

CPE:

cpe:2.3:a:php:php:8.2.3:*:*:*:*:*:*:*

php

Version:

8.1.18

CPE:

cpe:2.3:a:php:php:8.1.18:-:*:*:*:*:*:*

php

Version:

8.2.4

CPE:

cpe:2.3:a:php:php:8.2.4:-:*:*:*:*:*:*

php

Version:

8.1.16

CPE:

cpe:2.3:a:php:php:8.1.16:*:*:*:*:*:*:*

php

Version:

8.3.2

CPE:

cpe:2.3:a:php:php:8.3.2:-:*:*:*:*:*:*

php

Version:

8.3.3

CPE:

cpe:2.3:a:php:php:8.3.3:-:*:*:*:*:*:*

php

Version:

8.1.2

CPE:

cpe:2.3:a:php:php:8.1.2:rc1:*:*:*:*:*:*

php

Version:

8.3.4

CPE:

cpe:2.3:a:php:php:8.3.4:-:*:*:*:*:*:*

php

Version:

8.1.24

CPE:

cpe:2.3:a:php:php:8.1.24:-:*:*:*:*:*:*

php

Version:

8.1.20

CPE:

cpe:2.3:a:php:php:8.1.20:-:*:*:*:*:*:*

php

Version:

8.2.6

CPE:

cpe:2.3:a:php:php:8.2.6:-:*:*:*:*:*:*

php

Version:

8.1.26

CPE:

cpe:2.3:a:php:php:8.1.26:-:*:*:*:*:*:*

php

Version:

8.2.8

CPE:

cpe:2.3:a:php:php:8.2.8:-:*:*:*:*:*:*

php

Version:

8.1.19

CPE:

cpe:2.3:a:php:php:8.1.19:-:*:*:*:*:*:*

php

Version:

8.2.15

CPE:

cpe:2.3:a:php:php:8.2.15:-:*:*:*:*:*:*

This vulnerability affects 57 software configuration(s). Ensure you patch all affected systems.

Available Security Patches

1 patch available from vendors

View All Patches

Microsoft

2024-Jun-CVE-2024-2408

CVE-2024-2408: PHP is vulnerable to the Marvin Attack

Severity

Unknown

Released

Oct 22, 2025

Security Update

View Details Vendor Page

Browse All Security Patches

References & Resources

Severity Details

5.9

out of 10.0

Medium

Weakness Type (CWE)

CWE-203

Observable Discrepancy

Description: The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or…
Typical Severity: Medium
Abstraction Level: Base