CVE-2024-5585
09.06.2024, 19:15
In PHP versions8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix forCVE-2024-1874 does not work if the command name includes trailing spaces. Original issue:when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.
| Vendor | Product | Version |
|---|---|---|
| php | php | 8.1.29 < 𝑥 < 8.1.29 |
| php | php | 8.2.20 < 𝑥 < 8.2.20 |
| php | php | 8.3.8 < 𝑥 < 8.3.8 |
| php | php | 8.1.0 ≤ 𝑥 < 8.1.29 |
| php | php | 8.2.0 ≤ 𝑥 < 8.2.20 |
| php | php | 8.3.0 ≤ 𝑥 < 8.3.8 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Ubuntu Product | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| php5 |
| ||||||||||
| php7.0 |
| ||||||||||
| php7.2 |
| ||||||||||
| php7.4 |
| ||||||||||
| php8.1 |
| ||||||||||
| php8.2 |
| ||||||||||
| php8.3 |
|
Common Weakness Enumeration
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
- CWE-116 - Improper Encoding or Escaping of OutputThe software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
References