Security Alert: CVE-2024-4577 - PHP CGI Argument Injection Vulnerability

[senthil]

Situation

• Critical vulnerability CVE-2024-4577 has been identified in PHP, affecting all versions of PHP installed on the
  Windows operating systems below the next:
• PHP 8.3: < 8.3.8
• PHP 8.2: < 8.2.20
• PHP 8.1 < 8.1.29

Impact

Potentially allow unauthenticated attackers to bypass previous protections and execute arbitrary code on remote
PHP servers through an argument injection attack.

Status

The issue was investigated by our Security Team concluding that Plesk is not affected because:

• For Windows it runs PHP in FastCGI mode and does not support the CGI mode.
• Plesk supports CGI, but it does not put the php.exe or php-cgi.exe binaries into the /cgi-bin/ directories and
  does not expose PHP binaries to CGI in other ways (e.g. via web server configuration).
  

Therefore Plesk users are not susceptible to this PHP for Windows vulnerability. Nonetheless Plesk PHP versions
will be updated to the corrected ones as usual on its upcoming releases.