{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-5585", "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "state": "PUBLISHED", "assignerShortName": "php", "dateReserved": "2024-06-01T00:08:21.997Z", "datePublished": "2024-06-09T18:36:50.477Z", "dateUpdated": "2024-08-19T07:35:25.799Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "modules": ["proc_open"], "platforms": ["Windows"], "product": "PHP", "repo": "https://github.com/php/php-src", "vendor": "PHP Group", "versions": [{"lessThan": "8.1.29", "status": "affected", "version": "8.1.*", "versionType": "semver"}, {"lessThan": "8.2.20", "status": "affected", "version": "8.2.*", "versionType": "semver"}, {"lessThan": "8.3.8", "status": "affected", "version": "8.3.*", "versionType": "semver"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "This problem only present in Windows versions of PHP. <br>"}], "value": "This problem only present in Windows versions of PHP."}], "credits": [{"lang": "en", "type": "reporter", "value": "tianstcht"}], "datePublic": "2024-06-09T18:30:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In PHP versions<span style=\"background-color: var(--wht);\">&nbsp;8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue:&nbsp;</span>when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.&nbsp;</span><span style=\"background-color: var(--wht);\"><br></span>"}], "value": "In PHP versions\u00a08.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for\u00a0CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue:\u00a0when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-116", "description": "CWE-116 Improper Encoding or Escaping of Output", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "shortName": "php", "dateUpdated": "2024-06-09T18:36:50.477Z"}, "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-9fcc-425m-g385"}, {"url": "http://www.openwall.com/lists/oss-security/2024/06/07/1"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/"}, {"url": "https://security.netapp.com/advisory/ntap-20240726-0002/"}], "source": {"advisory": "GHSA-9fcc-425m-g385", "discovery": "EXTERNAL"}, "title": "Command injection via array-ish $command parameter of proc_open() (bypass CVE-2024-1874 fix)", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Using proc_open() string syntax avoids the problem. <br>"}], "value": "Using proc_open() string syntax avoids the problem."}], "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "php", "product": "php", "cpes": ["cpe:2.3:a:php:php:8.1.0:-:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "8.1.0", "status": "affected", "lessThan": "8.1.29", "versionType": "semver"}]}, {"vendor": "php", "product": "php", "cpes": ["cpe:2.3:a:php:php:8.2.0:-:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "8.2.0", "status": "affected", "lessThan": "8.2.20", "versionType": "semver"}]}, {"vendor": "php", "product": "php", "cpes": ["cpe:2.3:a:php:php:8.3.0:*:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "8.3.0", "status": "affected", "lessThan": "8.3.8", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-16T17:52:45.720953Z", "id": "CVE-2024-5585", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-16T18:15:25.949Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-19T07:35:25.799Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-9fcc-425m-g385", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/06/07/1", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240726-0002/", "tags": ["x_transferred"]}, {"url": "https://www.vicarius.io/vsociety/posts/command-injection-vulnerability-in-php-on-windows-systems-cve-2024-1874-and-cve-2024-5585"}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-9fcc-425m-g385", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/06/07/1", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240726-0002/", "tags": ["x_transferred"]}, {"url": "https://www.vicarius.io/vsociety/posts/command-injection-vulnerability-in-php-on-windows-systems-cve-2024-1874-and-cve-2024-5585"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-19T07:35:25.799Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-5585", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-16T17:52:45.720953Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:php:php:8.1.0:-:*:*:*:*:*:*"], "vendor": "php", "product": "php", "versions": [{"status": "affected", "version": "8.1.0", "lessThan": "8.1.29", "versionType": "semver"}], "defaultStatus": "affected"}, {"cpes": ["cpe:2.3:a:php:php:8.2.0:-:*:*:*:*:*:*"], "vendor": "php", "product": "php", "versions": [{"status": "affected", "version": "8.2.0", "lessThan": "8.2.20", "versionType": "semver"}], "defaultStatus": "affected"}, {"cpes": ["cpe:2.3:a:php:php:8.3.0:*:*:*:*:*:*:*"], "vendor": "php", "product": "php", "versions": [{"status": "affected", "version": "8.3.0", "lessThan": "8.3.8", "versionType": "semver"}], "defaultStatus": "affected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-16T18:15:16.620Z"}}], "cna": {"title": "Command injection via array-ish $command parameter of proc_open() (bypass CVE-2024-1874 fix)", "source": {"advisory": "GHSA-9fcc-425m-g385", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "tianstcht"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/php/php-src", "vendor": "PHP Group", "modules": ["proc_open"], "product": "PHP", "versions": [{"status": "affected", "version": "8.1.*", "lessThan": "8.1.29", "versionType": "semver"}, {"status": "affected", "version": "8.2.*", "lessThan": "8.2.20", "versionType": "semver"}, {"status": "affected", "version": "8.3.*", "lessThan": "8.3.8", "versionType": "semver"}], "platforms": ["Windows"], "defaultStatus": "affected"}], "datePublic": "2024-06-09T18:30:00.000Z", "references": [{"url": "https://github.com/php/php-src/security/advisories/GHSA-9fcc-425m-g385"}, {"url": "http://www.openwall.com/lists/oss-security/2024/06/07/1"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/"}, {"url": "https://security.netapp.com/advisory/ntap-20240726-0002/"}], "workarounds": [{"lang": "en", "value": "Using proc_open() string syntax avoids the problem.", "supportingMedia": [{"type": "text/html", "value": "Using proc_open() string syntax avoids the problem. <br>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "In PHP versions\u00a08.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for\u00a0CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue:\u00a0when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.", "supportingMedia": [{"type": "text/html", "value": "In PHP versions<span style=\"background-color: var(--wht);\">&nbsp;8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue:&nbsp;</span>when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.&nbsp;</span><span style=\"background-color: var(--wht);\"><br></span>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "CWE-116 Improper Encoding or Escaping of Output"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "configurations": [{"lang": "en", "value": "This problem only present in Windows versions of PHP.", "supportingMedia": [{"type": "text/html", "value": "This problem only present in Windows versions of PHP. <br>", "base64": false}]}], "providerMetadata": {"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "shortName": "php", "dateUpdated": "2024-06-09T18:36:50.477Z"}}}, "cveMetadata": {"cveId": "CVE-2024-5585", "state": "PUBLISHED", "dateUpdated": "2024-08-19T07:35:25.799Z", "dateReserved": "2024-06-01T00:08:21.997Z", "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "datePublished": "2024-06-09T18:36:50.477Z", "assignerShortName": "php"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "7DC2EEF8-834B-42A1-8DA3-0C2CF22A7070", "versionEndExcluding": "8.1.29", "versionStartIncluding": "8.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "A39988FF-D854-4277-9D66-6911AF371DD3", "versionEndExcluding": "8.2.20", "versionStartIncluding": "8.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "F579FFC1-4F81-4755-B14B-3AA73AC9FF7A", "versionEndExcluding": "8.3.8", "versionStartIncluding": "8.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*", "matchCriteriaId": "CA277A6C-83EC-4536-9125-97B84C4FAF59", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In PHP versions\u00a08.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for\u00a0CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue:\u00a0when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell."}, {"lang": "es", "value": "En las versiones de PHP 8.1.* anteriores a 8.1.29, 8.2.* anteriores a 8.2.20, 8.3.* anteriores a 8.3.8, la soluci\u00f3n para CVE-2024-1874 no funciona si el nombre del comando incluye espacios finales. Problema original: cuando se utiliza el comando proc_open() con sintaxis de matriz, debido a un escape insuficiente, si los argumentos del comando ejecutado est\u00e1n controlados por un usuario malintencionado, el usuario puede proporcionar argumentos que ejecutar\u00edan comandos arbitrarios en el shell de Windows."}], "id": "CVE-2024-5585", "lastModified": "2024-07-28T14:15:11.033", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.5, "source": "security@php.net", "type": "Secondary"}]}, "published": "2024-06-09T19:15:52.597", "references": [{"source": "security@php.net", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2024/06/07/1"}, {"source": "security@php.net", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/php/php-src/security/advisories/GHSA-9fcc-425m-g385"}, {"source": "security@php.net", "tags": ["Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/"}, {"source": "security@php.net", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/"}, {"source": "security@php.net", "url": "https://security.netapp.com/advisory/ntap-20240726-0002/"}], "sourceIdentifier": "security@php.net", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-116"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-116"}, {"lang": "en", "value": "CWE-78"}], "source": "security@php.net", "type": "Secondary"}]}

{"bugzilla": {"description": "php: Arguments execute arbitrary commands in Windows shell", "id": "2291311", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2291311"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-78", "details": ["In PHP versions\u00a08.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for\u00a0CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue:\u00a0when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.", "In PHP, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-5585", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "php", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "php", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "php:7.4/php", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "php:8.0/php", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "php:8.2/php", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "php", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "php:8.1/php", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "php:8.2/php", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-06-07T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-5585\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-5585\nhttp://www.openwall.com/lists/oss-security/2024/06/07/1\nhttps://github.com/php/php-src/security/advisories/GHSA-9fcc-425m-g385"], "statement": "No Red Hat products are affected by this CVE.", "threat_severity": "Important", "upstream_fix": "php 8.1.29, php 8.2.20, php 8.3.8"}