CVE-2024-1874

CWE-116CWE-78OS Command Injection7 documents5 sources
Severity
9.4CRITICAL
EPSS
63.4%
top 1.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
PHP Group PHPPHP PHPFedoraproject Fedora
Timeline
PublishedApr 29
Latest updateJun 11

Description

In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:LExploitability: 3.9 | Impact: 5.5

Affected Packages2 packages

NVDphp/php8.1.08.1.28+2
CVEListV5php_group/php8.1.*8.1.29+5

Also affects: Fedora 39, 40

🔴Vulnerability Details

1
CVEList
Command injection via array-ish $command parameter of proc_open()2024-04-29

📋Vendor Advisories

5
Microsoft
Command injection via array-ish $command parameter of proc_open() (bypass CVE-2024-1874 fix)2024-06-11
Red Hat
php: Arguments execute arbitrary commands in Windows shell2024-06-07
Microsoft
Command injection via array-ish $command parameter of proc_open()2024-04-09
Red Hat
php: Fail to Escape Arguments Properly in Microsoft Windows2024-04-09
Debian
CVE-2024-1874: php7.4 - In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, wh...2024
CVE-2024-1874 (CRITICAL CVSS 9.4) | In PHP versions 8.1.* before 8.1.28 | cvebase.io