PHP 8.1/8.2/8.3 cmd injection via proc_open() array syntax (< v8.1.28 / < v8.2.18 / < v8.3.5)
CVE-2024-1874 Published on April 29, 2024
Command injection via array-ish $command parameter of proc_open()
In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.
Vulnerability Analysis
CVE-2024-1874 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and a small impact on availability.
Weakness Type
What is an Output Sanitization Vulnerability?
The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
CVE-2024-1874 has been classified to as an Output Sanitization vulnerability or weakness.
Products Associated with CVE-2024-1874
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-1874 are published in these products:
Affected Versions
PHP Group PHP:- Version 8.1.* and below 8.1.28 is affected.
- Version 8.2.* and below 8.2.18 is affected.
- Version 8.3.* and below 8.3.5 is affected.
- Version 8.1.0 is affected.
- Version 8.2.0 is affected.
- Version 8.3.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.