CVE-2024-1874 - OpenCVE

In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2024/04/12/11
http://www.openwall.com/lists/oss-security/2024/06/07/1
https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/
https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/
https://nvd.nist.gov/vuln/detail/CVE-2024-1874
https://security.netapp.com/advisory/ntap-20240510-0009/
https://www.cve.org/CVERecord?id=CVE-2024-1874
https://www.vicarius.io/vsociety/posts/command-injection-vulnerability-in-php-on-windows-systems-cve-2024-1874-and-cve-2024-5585

History

Mon, 19 Aug 2024 08:30:00 +0000

Type	Values Removed	Values Added
References		https://www.vicarius.io/vsociety/posts/command-injection-vulnerability-in-php-on-windows-systems-cve-2024-1874-and-cve-2024-5585

MITRE

Status: PUBLISHED

Assigner: php

Published: 2024-04-29T03:57:35.624Z

Updated: 2024-08-19T07:32:26.967Z

Reserved: 2024-02-25T04:39:00.479Z

Link: CVE-2024-1874

Vulnrichment

Updated: 2024-08-19T07:32:26.967Z

NVD

Status : Awaiting Analysis

Published: 2024-04-29T04:15:07.580

Modified: 2024-06-13T04:15:16.157

Link: CVE-2024-1874

Redhat

Severity :

Publid Date: 2024-04-09T00:00:00Z

Links: CVE-2024-1874 - Bugzilla

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-1874", "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "state": "PUBLISHED", "assignerShortName": "php", "dateReserved": "2024-02-25T04:39:00.479Z", "datePublished": "2024-04-29T03:57:35.624Z", "dateUpdated": "2024-08-19T07:32:26.967Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "platforms": ["Windows"], "product": "PHP", "vendor": "PHP Group", "versions": [{"lessThan": "8.1.28", "status": "affected", "version": "8.1.*", "versionType": "semver"}, {"lessThan": "8.2.18", "status": "affected", "version": "8.2.*", "versionType": "semver"}, {"lessThan": "8.3.5", "status": "affected", "version": "8.3.*", "versionType": "semver"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "This problem only present in Windows versions of PHP. "}], "value": "This problem only present in Windows versions of PHP.\u00a0"}], "credits": [{"lang": "en", "type": "reporter", "value": "RyotaK"}], "datePublic": "2024-04-11T17:15:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell. </p>"}], "value": "In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.\u00a0\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-116", "description": "CWE-116 Improper Encoding or Escaping of Output", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "shortName": "php", "dateUpdated": "2024-04-29T03:57:35.624Z"}, "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7"}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/12/11"}, {"url": "https://security.netapp.com/advisory/ntap-20240510-0009/"}, {"url": "http://www.openwall.com/lists/oss-security/2024/06/07/1"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/"}], "source": {"advisory": "https://github.com/php/php-src/security/advisories/GHSA-pc52-254", "discovery": "EXTERNAL"}, "title": "Command injection via array-ish $command parameter of proc_open()", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Using proc_open() string syntax avoids the problem. "}], "value": "Using proc_open() string syntax avoids the problem.\u00a0"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1874", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-04-29T13:05:18.510843Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:php_group:php:8.1.0:*:*:*:*:*:*:*"], "vendor": "php_group", "product": "php", "versions": [{"status": "affected", "version": "8.1.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:php_group:php:8.2.0:*:*:*:*:*:*:*"], "vendor": "php_group", "product": "php", "versions": [{"status": "affected", "version": "8.2.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:php_group:php:8.3.0:*:*:*:*:*:*:*"], "vendor": "php_group", "product": "php", "versions": [{"status": "affected", "version": "8.3.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T18:00:58.913Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-19T07:32:26.967Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/12/11", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240510-0009/", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/06/07/1", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/", "tags": ["x_transferred"]}, {"url": "https://www.vicarius.io/vsociety/posts/command-injection-vulnerability-in-php-on-windows-systems-cve-2024-1874-and-cve-2024-5585"}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/12/11", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240510-0009/", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/06/07/1", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/", "tags": ["x_transferred"]}, {"url": "https://www.vicarius.io/vsociety/posts/command-injection-vulnerability-in-php-on-windows-systems-cve-2024-1874-and-cve-2024-5585"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-19T07:32:26.967Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1874", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-04-29T13:05:18.510843Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:php_group:php:8.1.0:*:*:*:*:*:*:*"], "vendor": "php_group", "product": "php", "versions": [{"status": "affected", "version": "8.1.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:php_group:php:8.2.0:*:*:*:*:*:*:*"], "vendor": "php_group", "product": "php", "versions": [{"status": "affected", "version": "8.2.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:php_group:php:8.3.0:*:*:*:*:*:*:*"], "vendor": "php_group", "product": "php", "versions": [{"status": "affected", "version": "8.3.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-29T13:09:16.021Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Command injection via array-ish $command parameter of proc_open()", "source": {"advisory": "https://github.com/php/php-src/security/advisories/GHSA-pc52-254", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "RyotaK"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.4, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "PHP Group", "product": "PHP", "versions": [{"status": "affected", "version": "8.1.*", "lessThan": "8.1.28", "versionType": "semver"}, {"status": "affected", "version": "8.2.*", "lessThan": "8.2.18", "versionType": "semver"}, {"status": "affected", "version": "8.3.*", "lessThan": "8.3.5", "versionType": "semver"}], "platforms": ["Windows"], "defaultStatus": "affected"}], "datePublic": "2024-04-11T17:15:00.000Z", "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7"}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/12/11"}, {"url": "https://security.netapp.com/advisory/ntap-20240510-0009/"}, {"url": "http://www.openwall.com/lists/oss-security/2024/06/07/1"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/"}], "workarounds": [{"lang": "en", "value": "Using proc_open() string syntax avoids the problem.\u00a0", "supportingMedia": [{"type": "text/html", "value": "Using proc_open() string syntax avoids the problem. ", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.\u00a0\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell. </p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "CWE-116 Improper Encoding or Escaping of Output"}]}], "configurations": [{"lang": "en", "value": "This problem only present in Windows versions of PHP.\u00a0", "supportingMedia": [{"type": "text/html", "value": "This problem only present in Windows versions of PHP. ", "base64": false}]}], "providerMetadata": {"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "shortName": "php", "dateUpdated": "2024-04-29T03:57:35.624Z"}}}, "cveMetadata": {"cveId": "CVE-2024-1874", "state": "PUBLISHED", "dateUpdated": "2024-08-19T07:32:26.967Z", "dateReserved": "2024-02-25T04:39:00.479Z", "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "datePublished": "2024-04-29T03:57:35.624Z", "assignerShortName": "php"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.\u00a0\n\n"}, {"lang": "es", "value": "En las versiones de PHP 8.1.* anteriores a 8.1.28, 8.2.* anteriores a 8.2.18, 8.3.* anteriores a 8.3.5, cuando se utiliza el comando proc_open() con sintaxis de matriz, debido a un escape insuficiente, si los argumentos del comando ejecutado son controlado por un usuario malintencionado, el usuario puede proporcionar argumentos que ejecutar\u00edan comandos arbitrarios en el shell de Windows."}], "id": "CVE-2024-1874", "lastModified": "2024-06-13T04:15:16.157", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.5, "source": "security@php.net", "type": "Secondary"}]}, "published": "2024-04-29T04:15:07.580", "references": [{"source": "security@php.net", "url": "http://www.openwall.com/lists/oss-security/2024/04/12/11"}, {"source": "security@php.net", "url": "http://www.openwall.com/lists/oss-security/2024/06/07/1"}, {"source": "security@php.net", "url": "https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7"}, {"source": "security@php.net", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/"}, {"source": "security@php.net", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/"}, {"source": "security@php.net", "url": "https://security.netapp.com/advisory/ntap-20240510-0009/"}], "sourceIdentifier": "security@php.net", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-116"}], "source": "security@php.net", "type": "Secondary"}]}

{"bugzilla": {"description": "php: Fail to Escape Arguments Properly in Microsoft Windows", "id": "2267262", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2267262"}, "csaw": false, "cwe": "CWE-78", "details": ["In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.\u00a0", "A command injection flaw was found in PHP, exclusive to Windows environments. This flaw allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function in specific conditions. The CreateProcess function implicitly uses cmd.exe when executing batch files, which has complicated parsing rules for arguments that have not fully escaped. It is possible to inject commands if an attacker can control part of the command arguments of the batch file."], "name": "CVE-2024-1874", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "php", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "php", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "php:7.4/php", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "php:8.0/php", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "php:8.2/php", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "php", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "php:8.1/php", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "php:8.2/php", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-04-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-1874\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-1874\nhttps://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/"], "statement": "This vulnerability exclusively applies to applications running on Windows."}