Improper Encoding or Escaping of Output (CWE-116)
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. When using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.
A successful attack could allow a remote attacker to execute arbitrary code on the affected system with the privileges of the PHP process, potentially leading to complete system compromise. This could result in data theft, system disruption, deployment of malware, and other malicious actions.
One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.
Updating to PHP versions 8.1.29, 8.2.20, or 8.3.8 or later will address this vulnerability.
If patching is not immediately possible, carefully validate and sanitize all user input passed to proc_open() and other shell command execution functions. Apply the principle of least privilege and run PHP processes with minimal permissions.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Feedly found the first article mentioning CVE-2024-5585. See article
Feedly estimated the CVSS score as HIGH
NVD published the first details for CVE-2024-5585
A CVSS base score of 7.7 has been assigned.
Detection for the vulnerability has been added to Qualys (38953)
EPSS Score was set to: 0.04% (Percentile: 9.5%)
RedHat CVE advisory released a security advisory (CVE-2024-5585).
Detection for the vulnerability has been added to Nessus (200375)
A CVSS base score of 8.8 has been assigned.