Vulnerability CVE-2024-1874: Information

Description

In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell. 

URL: https://nvd.nist.gov/vuln/detail/CVE-2024-1874
Published: April 29, 2024
Modified: May 1, 2024

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
php8.1sisyphus8.1.28-alt18.1.28-alt1ALT-PU-2024-6496-1345012Fixed
php8.1sisyphus_e2k8.1.28-alt18.1.28-alt1ALT-PU-2024-6556-1-Fixed
php8.1sisyphus_riscv648.1.28-alt18.1.28-alt1ALT-PU-2024-6616-1-Fixed
php8.1sisyphus_loongarch648.1.28-alt18.1.28-alt1ALT-PU-2024-6561-1-Fixed
php8.1p108.1.28-alt18.1.28-alt1ALT-PU-2024-6566-2345136Fixed
php8.1p10_e2k8.1.28-alt18.1.28-alt1ALT-PU-2024-6738-1-Fixed
php8.1c10f18.1.28-alt18.1.28-alt1ALT-PU-2024-6670-2345138Fixed
php8.2sisyphus8.2.18-alt18.2.19-alt1ALT-PU-2024-6444-1345013Fixed
php8.2sisyphus_e2k8.2.18-alt18.2.18-alt1ALT-PU-2024-6557-1-Fixed
php8.2sisyphus_riscv648.2.18-alt18.2.19-alt1ALT-PU-2024-6618-1-Fixed
php8.2sisyphus_loongarch648.2.18-alt18.2.19-alt1ALT-PU-2024-6563-1-Fixed
php8.2p108.2.18-alt18.2.19-alt1ALT-PU-2024-6501-2345089Fixed
php8.2p10_e2k8.2.18-alt18.2.18-alt1ALT-PU-2024-6789-1-Fixed
php8.3sisyphus8.3.6-alt18.3.7-alt1ALT-PU-2024-6442-1344089Fixed
php8.3sisyphus_e2k8.3.6-alt18.3.6-alt1ALT-PU-2024-6553-1-Fixed
php8.3sisyphus_riscv648.3.6-alt18.3.7-alt1ALT-PU-2024-6517-1-Fixed
php8.3sisyphus_loongarch648.3.6-alt18.3.7-alt1ALT-PU-2024-6559-1-Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7
    http://www.openwall.com/lists/oss-security/2024/04/12/11
      VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
      Version: v24.5.1
      Back to top