CVE-2024-1874

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-1874
In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.

9.4 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
http://www.openwall.com/lists/oss-security/2024/04/12/11
http://www.openwall.com/lists/oss-security/2024/06/07/1
https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/
https://security.netapp.com/advisory/ntap-20240510-0009/
http://www.openwall.com/lists/oss-security/2024/04/12/11
http://www.openwall.com/lists/oss-security/2024/06/07/1
https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/
https://security.netapp.com/advisory/ntap-20240510-0009/
https://www.vicarius.io/vsociety/posts/command-injection-vulnerability-in-php-on-windows-systems-cve-2024-1874-and-cve-2024-5585
Configurations

No configuration.

History

13 Feb 2025, 18:16

Type Values Removed Values Added
Summary (en) In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.  (en) In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.

21 Nov 2024, 08:51

Type Values Removed Values Added
References
  • () https://www.vicarius.io/vsociety/posts/command-injection-vulnerability-in-php-on-windows-systems-cve-2024-1874-and-cve-2024-5585 -
References () http://www.openwall.com/lists/oss-security/2024/04/12/11 - () http://www.openwall.com/lists/oss-security/2024/04/12/11 -
References () http://www.openwall.com/lists/oss-security/2024/06/07/1 - () http://www.openwall.com/lists/oss-security/2024/06/07/1 -
References () https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7 - () https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7 -
References () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/ - () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/ -
References () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/ - () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/ -
References () https://security.netapp.com/advisory/ntap-20240510-0009/ - () https://security.netapp.com/advisory/ntap-20240510-0009/ -

13 Jun 2024, 04:15

Type Values Removed Values Added
References
  • () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/ -

12 Jun 2024, 02:15

Type Values Removed Values Added
References
  • () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/ -

10 Jun 2024, 17:16

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2024/06/07/1 -
  • () https://security.netapp.com/advisory/ntap-20240510-0009/ -

01 May 2024, 17:15

Type Values Removed Values Added
Summary
  • (es) En las versiones de PHP 8.1.* anteriores a 8.1.28, 8.2.* anteriores a 8.2.18, 8.3.* anteriores a 8.3.5, cuando se utiliza el comando proc_open() con sintaxis de matriz, debido a un escape insuficiente, si los argumentos del comando ejecutado son controlado por un usuario malintencionado, el usuario puede proporcionar argumentos que ejecutarían comandos arbitrarios en el shell de Windows.
References
  • () http://www.openwall.com/lists/oss-security/2024/04/12/11 -

29 Apr 2024, 04:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-04-29 04:15

Updated : 2025-02-13 18:16

NVD link : CVE-2024-1874

Mitre link : CVE-2024-1874

CVE.ORG link : CVE-2024-1874

JSON object : View

Products Affected

No product.

CWE
CWE-116

Improper Encoding or Escaping of Output