CVE-2024-5585

CWE-78OS Command InjectionCWE-1166 documents6 sources
Severity
8.8HIGH
EPSS
0.9%
top 24.72%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
PHP Group PHPPHP PHPFedoraproject Fedora
Timeline
PublishedJun 9
Latest updateOct 15

Description

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:LExploitability: 2.2 | Impact: 5.5

Affected Packages2 packages

NVDphp/php8.1.08.1.29+2
CVEListV5php_group/php8.1.*8.1.29+2

Also affects: Fedora 40

🔴Vulnerability Details

1
CVEList
Command injection via array-ish $command parameter of proc_open() (bypass CVE-2024-1874 fix)2024-06-09

📋Vendor Advisories

4
Oracle
Oracle Oracle Communications Applications Risk Matrix: Core (PHP) — CVE-2024-55852024-10-15
Microsoft
Command injection via array-ish $command parameter of proc_open() (bypass CVE-2024-1874 fix)2024-06-11
Red Hat
php: Arguments execute arbitrary commands in Windows shell2024-06-07
Debian
CVE-2024-5585: php7.4 - In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, th...2024
CVE-2024-5585 (HIGH CVSS 8.8) | In PHP versions 8.1.* before 8.1.29 | cvebase.io