Security Alert: CVE-2024-4577 - PHP CGI Argument Injection Vulnerability

Situation

• Critical vulnerability CVE-2024-4577 has been identified in PHP, affecting all versions of PHP installed on the Windows operating systems below the next:

  • PHP 8.3: < 8.3.8
  • PHP 8.2: < 8.2.20
  • PHP 8.1 < 8.1.29

Impact

Potentially allow unauthenticated attackers to bypass previous protections and execute arbitrary code on remote PHP servers through an argument injection attack.

Status

The issue was investigated by our Security Team concluding that Plesk is not affected because:

• For Windows it runs PHP in FastCGI mode and does not support the CGI mode.
• Plesk supports CGI, but it does not put the php.exe or php-cgi.exe binaries into the /cgi-bin/ directories and does not expose PHP binaries to CGI in other ways (e.g. via web server configuration).

Therefore Plesk users are not susceptible to this PHP for Windows vulnerability. Nonetheless Plesk PHP versions will be updated to the corrected ones as usual on its upcoming releases.