Exploit
CVE-2024-5585

Improper Encoding or Escaping of Output (CWE-116)

Published: Jun 9, 2024 / Updated: 5mo ago

010
CVSS 8.8EPSS 0.04%High
CVE info copied to clipboard

Summary

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. When using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.

Impact

A successful attack could allow a remote attacker to execute arbitrary code on the affected system with the privileges of the PHP process, potentially leading to complete system compromise. This could result in data theft, system disruption, deployment of malware, and other malicious actions.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

Updating to PHP versions 8.1.29, 8.2.20, or 8.3.8 or later will address this vulnerability.

Mitigation

If patching is not immediately possible, carefully validate and sanitize all user input passed to proc_open() and other shell command execution functions. Apply the principle of least privilege and run PHP processes with minimal permissions.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-5585. See article

Jun 4, 2024 at 3:58 PM / Linux Compatible
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jun 6, 2024 at 9:13 PM
CVE Assignment

NVD published the first details for CVE-2024-5585

Jun 9, 2024 at 7:15 PM
CVSS

A CVSS base score of 7.7 has been assigned.

Jun 9, 2024 at 7:20 PM / nvd
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (38953)

Jun 10, 2024 at 7:53 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.5%)

Jun 10, 2024 at 1:30 PM
Vendor Advisory

RedHat CVE advisory released a security advisory (CVE-2024-5585).

Jun 11, 2024 at 2:31 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (200375)

Jun 12, 2024 at 11:15 AM
CVSS

A CVSS base score of 8.8 has been assigned.

Jun 12, 2024 at 5:20 PM / nvd
Static CVE Timeline Graph

Affected Systems

Php/php
+null more

Exploits

https://github.com/php/php-src/security/advisories/GHSA-9fcc-425m-g385
+null more

Patches

bugzilla.redhat.com
+null more

Attack Patterns

CAPEC-104: Cross Zone Scripting
+null more

Vendor Advisory

Oracle Critical Patch Update Advisory - October 2024
Oracle Id: cpuoct2024 Release Date: 2024-10-15 Update Date: 2024-10-15 Description A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to “Critical Patch Updates, Security Alerts and Bulletins” for information about Oracle Security advisories. Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches.

References

PHP 8.3.8 Released
All PHP 8.3 users are encouraged to upgrade to this version. For source downloads of PHP 8.3.8 please visit our downloads page: https://www.php.net/downloads
PHP: PHP 8 ChangeLog
PHP 8 ChangeLog 8.3 8.2 8.1 8.0 Version 8.3.8 06 Jun 2024 CGI: Fixed buffer limit on Windows, replacing read call usage by _read. Fixed bug GHSA-3qgc-jrrr-25jv (Bypass of CVE-2012-1823, Argument Injection in PHP-CGI). (CVE-2024-4577) CLI: Fixed bug GH-14189 (PHP Interactive shell input state incorrectly handles quoted heredoc literals.). Core: Fixed bug GH-13970 (Incorrect validation of #[Attribute] flags type for non-compile-time expressions).
PHP 8.1.29 Released!
All PHP 8.1 users are encouraged to upgrade to this version. Version: FlowCrypt Email Encryption 8.5.4
See 3 more references

News

cPanel EasyApache update for PHP
Risk Critical Patch available YES Number of vulnerabilities 5 CVE-ID CVE-2012-1823 Public exploit code for vulnerability #4 is available.
NCSC-2024-0414 [1.00] [M/H] Kwetsbaarheden verholpen in Oracle Communications
Improper Check or Handling of Exceptional Conditions Improper Restriction of Operations within the Bounds of a Memory Buffer
oracle CPUOct2024: MySQL Cluster 9.0.2
Development Last Updated: 10/15/2024 CVEs: CVE-2024-21203 , CVE-2024-21201 , CVE-2024-21199 , CVE-2024-5535 , CVE-2024-21194 , CVE-2024-21241 , CVE-2024-21238 , CVE-2024-6119 , CVE-2024-21218 , CVE-2024-2408 , CVE-2024-37370 , CVE-2024-1874 , CVE-2024-21198 , CVE-2024-21196 , CVE-2024-21244 , CVE-2024-21247 , CVE-2024-21207 , CVE-2024-21232 , CVE-2024-21243 , CVE-2024-21213 , CVE-2024-21237 , CVE-2024-5585 , CVE-2024-21230 , CVE-2024-21231 , CVE-2024-21236 , CVE-2024-37371 , CVE-2024-21219 , CVE-2024-7264 , CVE-2024-4577 , CVE-2024-21239 , CVE-2024-5458 , CVE-2024-21193 , CVE-2024-21197 , CVE-2024-21209 , CVE-2024-21204
oracle CPUOct2024: MySQL Server 9.0.2
Development Last Updated: 10/15/2024 CVEs: CVE-2024-21203 , CVE-2024-21201 , CVE-2024-21199 , CVE-2024-5535 , CVE-2024-21194 , CVE-2024-21241 , CVE-2024-21238 , CVE-2024-6119 , CVE-2024-21218 , CVE-2024-2408 , CVE-2024-37370 , CVE-2024-1874 , CVE-2024-21198 , CVE-2024-21196 , CVE-2024-21244 , CVE-2024-21247 , CVE-2024-21207 , CVE-2024-21232 , CVE-2024-21243 , CVE-2024-21213 , CVE-2024-21237 , CVE-2024-5585 , CVE-2024-21230 , CVE-2024-21231 , CVE-2024-21236 , CVE-2024-37371 , CVE-2024-21219 , CVE-2024-7264 , CVE-2024-4577 , CVE-2024-21239 , CVE-2024-5458 , CVE-2024-21193 , CVE-2024-21197 , CVE-2024-21209 , CVE-2024-21204
Multiple vulnerabilities in Communications Unified Assurance
A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack. The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
See 65 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI