CVE-2024-5585 | Zend by Perforce

php: Arguments execute arbitrary commands in Windows shell

Publication Date	2024-06-07
Severity	Low
Type	Remote Code Execution
Affected PHP Versions	7.4.0-7.4.33 8.0.0-8.0.30 8.1.0-8.1.28 8.2.0-8.2.19 8.3.0-8.3.7
Fixed Product Versions	ZendPHP 7.4 ZendPHP 8.0 ZendPHP 8.1 ZendPHP 8.2 ZendPHP 8.3 ZendServer 2021.3.5

CVE Details

The fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.

Recommendations

For Windows users, we recommend updating to a patched version of PHP.

< View all CVEs