{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-4577", "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "state": "PUBLISHED", "assignerShortName": "php", "dateReserved": "2024-05-06T22:21:01.742Z", "datePublished": "2024-06-09T19:42:36.464Z", "dateUpdated": "2024-08-19T07:54:59.546Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "modules": ["CGI"], "platforms": ["Windows"], "product": "PHP", "repo": "https://github.com/php/php-src", "vendor": "PHP Group", "versions": [{"lessThan": "8.1.29", "status": "affected", "version": "8.1.*", "versionType": "semver"}, {"lessThan": "8.2.20", "status": "affected", "version": "8.2.*", "versionType": "semver"}, {"lessThan": "8.3.8", "status": "affected", "version": "8.3.*", "versionType": "semver"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "This problem is only present in Windows versions of PHP running in CGI mode, in systems where a codepage using \"Best Fit\" strategy is enabled.&nbsp;<br>"}], "value": "This problem is only present in Windows versions of PHP running in CGI mode, in systems where a codepage using \"Best Fit\" strategy is enabled."}], "credits": [{"lang": "en", "type": "reporter", "value": "Orange Tsai, DEVCORE Research Team"}], "datePublic": "2024-06-09T19:30:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In PHP versions<span style=\"background-color: var(--wht);\">&nbsp;8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use \"<span style=\"background-color: rgb(255, 255, 255);\">Best-Fit\" behavior to replace characters in command line given to&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.&nbsp;</span></span></span><span style=\"background-color: var(--wht);\"><br></span>"}], "value": "In PHP versions\u00a08.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use \"Best-Fit\" behavior to replace characters in command line given to\u00a0Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "shortName": "php", "dateUpdated": "2024-06-09T19:42:36.464Z"}, "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-3qgc-jrrr-25jv"}, {"url": "https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html"}, {"url": "https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/"}, {"url": "https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/"}, {"url": "https://www.imperva.com/blog/imperva-protects-against-critical-php-vulnerability-cve-2024-4577/"}, {"url": "https://github.com/11whoami99/CVE-2024-4577"}, {"url": "https://github.com/xcanwin/CVE-2024-4577-PHP-RCE"}, {"url": "https://github.com/rapid7/metasploit-framework/pull/19247"}, {"url": "https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/"}, {"url": "https://github.com/watchtowrlabs/CVE-2024-4577"}, {"url": "https://www.php.net/ChangeLog-8.php#8.1.29"}, {"url": "https://www.php.net/ChangeLog-8.php#8.2.20"}, {"url": "https://www.php.net/ChangeLog-8.php#8.3.8"}, {"url": "https://cert.be/en/advisory/warning-php-remote-code-execution-patch-immediately"}, {"url": "https://isc.sans.edu/diary/30994"}, {"url": "http://www.openwall.com/lists/oss-security/2024/06/07/1"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/"}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0008/"}], "source": {"advisory": "GHSA-3qgc-jrrr-25jv", "discovery": "EXTERNAL"}, "title": "Argument Injection in PHP-CGI", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "php_group", "product": "php", "cpes": ["cpe:2.3:a:php_group:php:8.1.0:*:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "8.1.0", "status": "affected", "lessThan": "8.1.29", "versionType": "custom"}]}, {"vendor": "php_group", "product": "php", "cpes": ["cpe:2.3:a:php_group:php:8.2.0:*:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "8.2.0", "status": "affected", "lessThan": "8.2.20", "versionType": "custom"}]}, {"vendor": "php_group", "product": "php", "cpes": ["cpe:2.3:a:php_group:php:8.3.0:*:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "8.3.0", "status": "affected", "lessThan": "8.3.8", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-10T00:00:00+00:00", "options": [{"Exploitation": "active"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2024-4577"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2024-06-12", "reference": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-15T03:55:27.674Z"}, "timeline": [{"time": "2024-06-12T00:00:00+00:00", "lang": "en", "value": "CVE-2024-4577 added to CISA KEV"}]}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-19T07:54:59.546Z"}, "references": [{"url": "https://www.vicarius.io/vsociety/posts/php-cgi-os-command-injection-vulnerability-cve-2024-4577"}, {"url": "https://www.vicarius.io/vsociety/posts/php-cgi-argument-injection-to-rce-cve-2024-4577"}, {"tags": ["x_transferred"], "url": "https://github.com/php/php-src/security/advisories/GHSA-3qgc-jrrr-25jv"}, {"tags": ["x_transferred"], "url": "https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html"}, {"tags": ["x_transferred"], "url": "https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/"}, {"tags": ["x_transferred"], "url": "https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/"}, {"tags": ["x_transferred"], "url": "https://www.imperva.com/blog/imperva-protects-against-critical-php-vulnerability-cve-2024-4577/"}, {"tags": ["x_transferred"], "url": "https://github.com/11whoami99/CVE-2024-4577"}, {"tags": ["x_transferred"], "url": "https://github.com/xcanwin/CVE-2024-4577-PHP-RCE"}, {"tags": ["x_transferred"], "url": "https://github.com/rapid7/metasploit-framework/pull/19247"}, {"tags": ["x_transferred"], "url": "https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/"}, {"tags": ["x_transferred"], "url": "https://github.com/watchtowrlabs/CVE-2024-4577"}, {"tags": ["x_transferred"], "url": "https://www.php.net/ChangeLog-8.php#8.1.29"}, {"tags": ["x_transferred"], "url": "https://www.php.net/ChangeLog-8.php#8.2.20"}, {"tags": ["x_transferred"], "url": "https://www.php.net/ChangeLog-8.php#8.3.8"}, {"tags": ["x_transferred"], "url": "https://cert.be/en/advisory/warning-php-remote-code-execution-patch-immediately"}, {"tags": ["x_transferred"], "url": "https://isc.sans.edu/diary/30994"}, {"tags": ["x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2024/06/07/1"}, {"tags": ["x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/"}, {"tags": ["x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/"}, {"tags": ["x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20240621-0008/"}], "title": "CVE Program Container", "x_generator": {"engine": "ADPogram 0.0.1"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.vicarius.io/vsociety/posts/php-cgi-os-command-injection-vulnerability-cve-2024-4577"}, {"url": "https://www.vicarius.io/vsociety/posts/php-cgi-argument-injection-to-rce-cve-2024-4577"}, {"url": "https://github.com/php/php-src/security/advisories/GHSA-3qgc-jrrr-25jv", "tags": ["x_transferred"]}, {"url": "https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html", "tags": ["x_transferred"]}, {"url": "https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/", "tags": ["x_transferred"]}, {"url": "https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/", "tags": ["x_transferred"]}, {"url": "https://www.imperva.com/blog/imperva-protects-against-critical-php-vulnerability-cve-2024-4577/", "tags": ["x_transferred"]}, {"url": "https://github.com/11whoami99/CVE-2024-4577", "tags": ["x_transferred"]}, {"url": "https://github.com/xcanwin/CVE-2024-4577-PHP-RCE", "tags": ["x_transferred"]}, {"url": "https://github.com/rapid7/metasploit-framework/pull/19247", "tags": ["x_transferred"]}, {"url": "https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/", "tags": ["x_transferred"]}, {"url": "https://github.com/watchtowrlabs/CVE-2024-4577", "tags": ["x_transferred"]}, {"url": "https://www.php.net/ChangeLog-8.php#8.1.29", "tags": ["x_transferred"]}, {"url": "https://www.php.net/ChangeLog-8.php#8.2.20", "tags": ["x_transferred"]}, {"url": "https://www.php.net/ChangeLog-8.php#8.3.8", "tags": ["x_transferred"]}, {"url": "https://cert.be/en/advisory/warning-php-remote-code-execution-patch-immediately", "tags": ["x_transferred"]}, {"url": "https://isc.sans.edu/diary/30994", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/06/07/1", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0008/", "tags": ["x_transferred"]}], "x_generator": {"engine": "ADPogram 0.0.1"}, "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-19T07:54:59.546Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-4577", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-06-12T03:55:09.393016Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2024-06-12", "reference": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"}}}], "affected": [{"cpes": ["cpe:2.3:a:php_group:php:8.1.0:*:*:*:*:*:*:*"], "vendor": "php_group", "product": "php", "versions": [{"status": "affected", "version": "8.1.0", "lessThan": "8.1.29", "versionType": "custom"}], "defaultStatus": "affected"}, {"cpes": ["cpe:2.3:a:php_group:php:8.2.0:*:*:*:*:*:*:*"], "vendor": "php_group", "product": "php", "versions": [{"status": "affected", "version": "8.2.0", "lessThan": "8.2.20", "versionType": "custom"}], "defaultStatus": "affected"}, {"cpes": ["cpe:2.3:a:php_group:php:8.3.0:*:*:*:*:*:*:*"], "vendor": "php_group", "product": "php", "versions": [{"status": "affected", "version": "8.3.0", "lessThan": "8.3.8", "versionType": "custom"}], "defaultStatus": "affected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-10T13:01:38.182Z"}, "timeline": [{"lang": "en", "time": "2024-06-12T00:00:00+00:00", "value": "CVE-2024-4577 added to CISA KEV"}]}], "cna": {"title": "Argument Injection in PHP-CGI", "source": {"advisory": "GHSA-3qgc-jrrr-25jv", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Orange Tsai, DEVCORE Research Team"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/php/php-src", "vendor": "PHP Group", "modules": ["CGI"], "product": "PHP", "versions": [{"status": "affected", "version": "8.1.*", "lessThan": "8.1.29", "versionType": "semver"}, {"status": "affected", "version": "8.2.*", "lessThan": "8.2.20", "versionType": "semver"}, {"status": "affected", "version": "8.3.*", "lessThan": "8.3.8", "versionType": "semver"}], "platforms": ["Windows"], "defaultStatus": "affected"}], "datePublic": "2024-06-09T19:30:00.000Z", "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-3qgc-jrrr-25jv"}, {"url": "https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html"}, {"url": "https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/"}, {"url": "https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/"}, {"url": "https://www.imperva.com/blog/imperva-protects-against-critical-php-vulnerability-cve-2024-4577/"}, {"url": "https://github.com/11whoami99/CVE-2024-4577"}, {"url": "https://github.com/xcanwin/CVE-2024-4577-PHP-RCE"}, {"url": "https://github.com/rapid7/metasploit-framework/pull/19247"}, {"url": "https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/"}, {"url": "https://github.com/watchtowrlabs/CVE-2024-4577"}, {"url": "https://www.php.net/ChangeLog-8.php#8.1.29"}, {"url": "https://www.php.net/ChangeLog-8.php#8.2.20"}, {"url": "https://www.php.net/ChangeLog-8.php#8.3.8"}, {"url": "https://cert.be/en/advisory/warning-php-remote-code-execution-patch-immediately"}, {"url": "https://isc.sans.edu/diary/30994"}, {"url": "http://www.openwall.com/lists/oss-security/2024/06/07/1"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/"}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0008/"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "In PHP versions\u00a08.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use \"Best-Fit\" behavior to replace characters in command line given to\u00a0Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.", "supportingMedia": [{"type": "text/html", "value": "In PHP versions<span style=\"background-color: var(--wht);\">&nbsp;8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use \"<span style=\"background-color: rgb(255, 255, 255);\">Best-Fit\" behavior to replace characters in command line given to&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.&nbsp;</span></span></span><span style=\"background-color: var(--wht);\"><br></span>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "configurations": [{"lang": "en", "value": "This problem is only present in Windows versions of PHP running in CGI mode, in systems where a codepage using \"Best Fit\" strategy is enabled.", "supportingMedia": [{"type": "text/html", "value": "This problem is only present in Windows versions of PHP running in CGI mode, in systems where a codepage using \"Best Fit\" strategy is enabled.&nbsp;<br>", "base64": false}]}], "providerMetadata": {"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "shortName": "php", "dateUpdated": "2024-06-09T19:42:36.464Z"}}}, "cveMetadata": {"cveId": "CVE-2024-4577", "state": "PUBLISHED", "dateUpdated": "2024-08-19T07:54:59.546Z", "dateReserved": "2024-05-06T22:21:01.742Z", "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "datePublished": "2024-06-09T19:42:36.464Z", "assignerShortName": "php"}, "dataVersion": "5.1"}

{"cisaActionDue": "2024-07-03", "cisaExploitAdd": "2024-06-12", "cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "PHP-CGI OS Command Injection Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "A8DF5D29-9ADB-4CE9-9DCE-9FFECA97800C", "versionEndExcluding": "8.1.29", "versionStartIncluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "A39988FF-D854-4277-9D66-6911AF371DD3", "versionEndExcluding": "8.2.20", "versionStartIncluding": "8.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "F579FFC1-4F81-4755-B14B-3AA73AC9FF7A", "versionEndExcluding": "8.3.8", "versionStartIncluding": "8.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*", "matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*", "matchCriteriaId": "CA277A6C-83EC-4536-9125-97B84C4FAF59", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In PHP versions\u00a08.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use \"Best-Fit\" behavior to replace characters in command line given to\u00a0Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc."}, {"lang": "es", "value": "En las versiones de PHP 8.1.* anteriores a 8.1.29, 8.2.* anteriores a 8.2.20, 8.3.* anteriores a 8.3.8, cuando se usa Apache y PHP-CGI en Windows, si el sistema est\u00e1 configurado para usar ciertas p\u00e1ginas de c\u00f3digos, Windows puede utilizar el comportamiento \"Mejor ajuste\" para reemplazar caracteres en la l\u00ednea de comando proporcionada a las funciones de la API de Win32. El m\u00f3dulo PHP CGI puede malinterpretar esos caracteres como opciones de PHP, lo que puede permitir a un usuario malintencionado pasar opciones al binario PHP que se est\u00e1 ejecutando y, por lo tanto, revelar el c\u00f3digo fuente de los scripts, ejecutar c\u00f3digo PHP arbitrario en el servidor, etc."}], "id": "CVE-2024-4577", "lastModified": "2024-11-21T09:43:08.587", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@php.net", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-06-09T20:15:09.550", "references": [{"source": "security@php.net", "tags": ["Mailing List", "Release Notes"], "url": "http://www.openwall.com/lists/oss-security/2024/06/07/1"}, {"source": "security@php.net", "tags": ["Exploit", "Press/Media Coverage", "Third Party Advisory"], "url": "https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/"}, {"source": "security@php.net", "tags": ["Third Party Advisory"], "url": "https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html"}, {"source": "security@php.net", "tags": ["Third Party Advisory"], "url": "https://cert.be/en/advisory/warning-php-remote-code-execution-patch-immediately"}, {"source": "security@php.net", "tags": ["Exploit", "Third Party Advisory"], "url": "https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/"}, {"source": "security@php.net", "tags": ["Exploit"], "url": "https://github.com/11whoami99/CVE-2024-4577"}, {"source": "security@php.net", "tags": ["Broken Link"], "url": "https://github.com/php/php-src/security/advisories/GHSA-3qgc-jrrr-25jv"}, {"source": "security@php.net", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/rapid7/metasploit-framework/pull/19247"}, {"source": "security@php.net", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/watchtowrlabs/CVE-2024-4577"}, {"source": "security@php.net", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/xcanwin/CVE-2024-4577-PHP-RCE"}, {"source": "security@php.net", "tags": ["Exploit", "Third Party Advisory"], "url": "https://isc.sans.edu/diary/30994"}, {"source": "security@php.net", "tags": ["Exploit", "Third Party Advisory"], "url": "https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/"}, {"source": "security@php.net", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/"}, {"source": "security@php.net", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/"}, {"source": "security@php.net", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20240621-0008/"}, {"source": "security@php.net", "tags": ["Third Party Advisory"], "url": "https://www.imperva.com/blog/imperva-protects-against-critical-php-vulnerability-cve-2024-4577/"}, {"source": "security@php.net", "tags": ["Release Notes"], "url": "https://www.php.net/ChangeLog-8.php#8.1.29"}, {"source": "security@php.net", "tags": ["Release Notes"], "url": "https://www.php.net/ChangeLog-8.php#8.2.20"}, {"source": "security@php.net", "tags": ["Release Notes"], "url": "https://www.php.net/ChangeLog-8.php#8.3.8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Release Notes"], "url": "http://www.openwall.com/lists/oss-security/2024/06/07/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Press/Media Coverage", "Third Party Advisory"], "url": "https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://cert.be/en/advisory/warning-php-remote-code-execution-patch-immediately"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "https://github.com/11whoami99/CVE-2024-4577"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "https://github.com/php/php-src/security/advisories/GHSA-3qgc-jrrr-25jv"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/rapid7/metasploit-framework/pull/19247"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/watchtowrlabs/CVE-2024-4577"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/xcanwin/CVE-2024-4577-PHP-RCE"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://isc.sans.edu/diary/30994"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20240621-0008/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.imperva.com/blog/imperva-protects-against-critical-php-vulnerability-cve-2024-4577/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://www.php.net/ChangeLog-8.php#8.1.29"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://www.php.net/ChangeLog-8.php#8.2.20"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://www.php.net/ChangeLog-8.php#8.3.8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.vicarius.io/vsociety/posts/php-cgi-argument-injection-to-rce-cve-2024-4577"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.vicarius.io/vsociety/posts/php-cgi-os-command-injection-vulnerability-cve-2024-4577"}], "sourceIdentifier": "security@php.net", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security@php.net", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "php: Argument Injection in PHP-CGI", "id": "2291281", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2291281"}, "csaw": true, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-78", "details": ["In PHP versions\u00a08.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use \"Best-Fit\" behavior to replace characters in command line given to\u00a0Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.", "A flaw was found in PHP versions\u00a08.1 before 8.1.29, 8.2 before 8.2.20, and 8.3 before 8.3.8. When using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use the \"Best-Fit\" behavior to replace characters in the command line given to\u00a0Win32 API functions. The PHP CGI module may misinterpret those characters as PHP options that allow a malicious user to pass options to the PHP binary being run, revealing the source code of scripts or running arbitrary PHP code on the server."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-4577", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "php", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "php", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "php:7.4/php", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "php:8.0/php", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "php:8.2/php", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "php", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "php:8.1/php", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "php:8.2/php", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-06-07T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-4577\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-4577\nhttp://www.openwall.com/lists/oss-security/2024/06/07/1\nhttps://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/\nhttps://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html\nhttps://cert.be/en/advisory/warning-php-remote-code-execution-patch-immediately\nhttps://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/\nhttps://github.com/php/php-src/security/advisories/GHSA-3qgc-jrrr-25jv\nhttps://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/\nhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog"], "statement": "No Red Hat products are affected by this CVE.", "threat_severity": "Critical", "upstream_fix": "php 8.1.29, php 8.2.20, php 8.3.8"}