CVE-2024-5585 Command injection via array-ish $command parameter of proc_open() (bypass CVE-2024-1874 fix)

2024-06-0918:36:50

CWE-116

CWE-78

php

www.cve.org

php

command injection

cve-2024-1874

proc_open()

windows shell

7.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

0.001 Low

EPSS

Percentile

48.1%

JSON

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.

CNA Affected

[
  {
    "defaultStatus": "affected",
    "modules": [
      "proc_open"
    ],
    "platforms": [
      "Windows"
    ],
    "product": "PHP",
    "repo": "https://github.com/php/php-src",
    "vendor": "PHP Group",
    "versions": [
      {
        "lessThan": "8.1.29",
        "status": "affected",
        "version": "8.1.*",
        "versionType": "semver"
      },
      {
        "lessThan": "8.2.20",
        "status": "affected",
        "version": "8.2.*",
        "versionType": "semver"
      },
      {
        "lessThan": "8.3.8",
        "status": "affected",
        "version": "8.3.*",
        "versionType": "semver"
      }
    ]
  }
]