CVE-2024-1874

Command injection via array-ish $command parameter of proc_open()

Severity Score

9.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.

En las versiones de PHP 8.1.* anteriores a 8.1.28, 8.2.* anteriores a 8.2.18, 8.3.* anteriores a 8.3.5, cuando se utiliza el comando proc_open() con sintaxis de matriz, debido a un escape insuficiente, si los argumentos del comando ejecutado son controlado por un usuario malintencionado, el usuario puede proporcionar argumentos que ejecutarían comandos arbitrarios en el shell de Windows.

*Credits: RyotaK

CVSS Scores

PHP Groupv3.1 9.4

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Yes

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-02-25 CVE Reserved
2024-04-29 CVE Published
2024-06-13 EPSS Updated
2024-07-18 First Exploit
2024-08-19 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-116: Improper Encoding or Escaping of Output

CAPEC

References (7)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2024/04/12/11
http://www.openwall.com/lists/oss-security/2024/06/07/1
https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK
https://security.netapp.com/advisory/ntap-20240510-0009

URL	Date	SRC
https://github.com/Tgcohce/CVE-2024-1874	2024-07-18

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
PHP Group Search vendor "PHP Group"		PHP Search vendor "PHP Group" for product "PHP"				>= 8.1.0 < 8.1.28 Search vendor "PHP Group" for product "PHP" and version " >= 8.1.0 < 8.1.28"		en		Affected
PHP Group Search vendor "PHP Group"		PHP Search vendor "PHP Group" for product "PHP"				>= 8.2.0 < 8.2.18 Search vendor "PHP Group" for product "PHP" and version " >= 8.2.0 < 8.2.18"		en		Affected
PHP Group Search vendor "PHP Group"		PHP Search vendor "PHP Group" for product "PHP"				>= 8.3.0 < 8.3.5 Search vendor "PHP Group" for product "PHP" and version " >= 8.3.0 < 8.3.5"		en		Affected