{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-1874", "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "state": "PUBLISHED", "assignerShortName": "php", "dateReserved": "2024-02-25T04:39:00.479Z", "datePublished": "2024-04-29T03:57:35.624Z", "dateUpdated": "2025-02-13T17:32:26.388Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "platforms": ["Windows"], "product": "PHP", "vendor": "PHP Group", "versions": [{"lessThan": "8.1.28", "status": "affected", "version": "8.1.*", "versionType": "semver"}, {"lessThan": "8.2.18", "status": "affected", "version": "8.2.*", "versionType": "semver"}, {"lessThan": "8.3.5", "status": "affected", "version": "8.3.*", "versionType": "semver"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "This problem only present in Windows versions of PHP.&nbsp;"}], "value": "This problem only present in Windows versions of PHP."}], "credits": [{"lang": "en", "type": "reporter", "value": "RyotaK"}], "datePublic": "2024-04-11T17:15:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.&nbsp;</p>"}], "value": "In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-116", "description": "CWE-116 Improper Encoding or Escaping of Output", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "shortName": "php", "dateUpdated": "2024-06-13T04:06:17.168Z"}, "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7"}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/12/11"}, {"url": "https://security.netapp.com/advisory/ntap-20240510-0009/"}, {"url": "http://www.openwall.com/lists/oss-security/2024/06/07/1"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/"}], "source": {"advisory": "https://github.com/php/php-src/security/advisories/GHSA-pc52-254", "discovery": "EXTERNAL"}, "title": "Command injection via array-ish $command parameter of proc_open()", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Using proc_open() string syntax avoids the problem.&nbsp;"}], "value": "Using proc_open() string syntax avoids the problem."}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1874", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-04-29T13:05:18.510843Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:php_group:php:8.1.0:*:*:*:*:*:*:*"], "vendor": "php_group", "product": "php", "versions": [{"status": "affected", "version": "8.1.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:php_group:php:8.2.0:*:*:*:*:*:*:*"], "vendor": "php_group", "product": "php", "versions": [{"status": "affected", "version": "8.2.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:php_group:php:8.3.0:*:*:*:*:*:*:*"], "vendor": "php_group", "product": "php", "versions": [{"status": "affected", "version": "8.3.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T18:00:58.913Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-19T07:32:26.967Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/12/11", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240510-0009/", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/06/07/1", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/", "tags": ["x_transferred"]}, {"url": "https://www.vicarius.io/vsociety/posts/command-injection-vulnerability-in-php-on-windows-systems-cve-2024-1874-and-cve-2024-5585"}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/12/11", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240510-0009/", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/06/07/1", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/", "tags": ["x_transferred"]}, {"url": "https://www.vicarius.io/vsociety/posts/command-injection-vulnerability-in-php-on-windows-systems-cve-2024-1874-and-cve-2024-5585"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-19T07:32:26.967Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1874", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-04-29T13:05:18.510843Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:php_group:php:8.1.0:*:*:*:*:*:*:*"], "vendor": "php_group", "product": "php", "versions": [{"status": "affected", "version": "8.1.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:php_group:php:8.2.0:*:*:*:*:*:*:*"], "vendor": "php_group", "product": "php", "versions": [{"status": "affected", "version": "8.2.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:php_group:php:8.3.0:*:*:*:*:*:*:*"], "vendor": "php_group", "product": "php", "versions": [{"status": "affected", "version": "8.3.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-29T13:09:16.021Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Command injection via array-ish $command parameter of proc_open()", "source": {"advisory": "https://github.com/php/php-src/security/advisories/GHSA-pc52-254", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "RyotaK"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.4, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "PHP Group", "product": "PHP", "versions": [{"status": "affected", "version": "8.1.*", "lessThan": "8.1.28", "versionType": "semver"}, {"status": "affected", "version": "8.2.*", "lessThan": "8.2.18", "versionType": "semver"}, {"status": "affected", "version": "8.3.*", "lessThan": "8.3.5", "versionType": "semver"}], "platforms": ["Windows"], "defaultStatus": "affected"}], "datePublic": "2024-04-11T17:15:00.000Z", "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7"}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/12/11"}, {"url": "https://security.netapp.com/advisory/ntap-20240510-0009/"}, {"url": "http://www.openwall.com/lists/oss-security/2024/06/07/1"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/"}], "workarounds": [{"lang": "en", "value": "Using proc_open() string syntax avoids the problem.", "supportingMedia": [{"type": "text/html", "value": "Using proc_open() string syntax avoids the problem.&nbsp;", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.", "supportingMedia": [{"type": "text/html", "value": "<p>In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.&nbsp;</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "CWE-116 Improper Encoding or Escaping of Output"}]}], "configurations": [{"lang": "en", "value": "This problem only present in Windows versions of PHP.", "supportingMedia": [{"type": "text/html", "value": "This problem only present in Windows versions of PHP.&nbsp;", "base64": false}]}], "providerMetadata": {"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "shortName": "php", "dateUpdated": "2024-06-13T04:06:17.168Z"}}}, "cveMetadata": {"cveId": "CVE-2024-1874", "state": "PUBLISHED", "dateUpdated": "2025-02-13T17:32:26.388Z", "dateReserved": "2024-02-25T04:39:00.479Z", "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "datePublished": "2024-04-29T03:57:35.624Z", "assignerShortName": "php"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "A888D1BE-9D93-4707-AA45-61EF1DB5488C", "versionEndExcluding": "8.1.28", "versionStartIncluding": "8.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "6AC1B000-D5C4-49E9-8EFE-8C5C8FF50AF2", "versionEndExcluding": "8.2.18", "versionStartIncluding": "8.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "BE619987-797E-493B-B089-2E1CADDA9C47", "versionEndExcluding": "8.3.5", "versionStartIncluding": "8.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*", "matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*", "matchCriteriaId": "CA277A6C-83EC-4536-9125-97B84C4FAF59", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell."}, {"lang": "es", "value": "En las versiones de PHP 8.1.* anteriores a 8.1.28, 8.2.* anteriores a 8.2.18, 8.3.* anteriores a 8.3.5, cuando se utiliza el comando proc_open() con sintaxis de matriz, debido a un escape insuficiente, si los argumentos del comando ejecutado son controlado por un usuario malintencionado, el usuario puede proporcionar argumentos que ejecutar\u00edan comandos arbitrarios en el shell de Windows."}], "id": "CVE-2024-1874", "lastModified": "2025-06-18T21:12:24.433", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.5, "source": "security@php.net", "type": "Secondary"}]}, "published": "2024-04-29T04:15:07.580", "references": [{"source": "security@php.net", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2024/04/12/11"}, {"source": "security@php.net", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2024/06/07/1"}, {"source": "security@php.net", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7"}, {"source": "security@php.net", "tags": ["Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/"}, {"source": "security@php.net", "tags": ["Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/"}, {"source": "security@php.net", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20240510-0009/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2024/04/12/11"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2024/06/07/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20240510-0009/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.vicarius.io/vsociety/posts/command-injection-vulnerability-in-php-on-windows-systems-cve-2024-1874-and-cve-2024-5585"}], "sourceIdentifier": "security@php.net", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-116"}], "source": "security@php.net", "type": "Secondary"}]}

{"bugzilla": {"description": "php: Fail to Escape Arguments Properly in Microsoft Windows", "id": "2267262", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2267262"}, "csaw": false, "cwe": "CWE-78", "details": ["In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.", "A command injection flaw was found in PHP, exclusive to Windows environments. This flaw allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function in specific conditions. The CreateProcess function implicitly uses cmd.exe when executing batch files, which has complicated parsing rules for arguments that have not fully escaped. It is possible to inject commands if an attacker can control part of the command arguments of the batch file."], "name": "CVE-2024-1874", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "php", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "php", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "php:7.4/php", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "php:8.0/php", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "php:8.2/php", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "php", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "php:8.1/php", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "php:8.2/php", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-04-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-1874\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-1874\nhttps://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/"], "statement": "This vulnerability exclusively applies to applications running on Windows."}

{}