Vulnerability CVE-2024-5585: Information

Description

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.

Severity: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Published: June 9, 2024
Modified: June 13, 2024
Error type identifier: CWE-116

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
php8.1sisyphus8.1.29-alt18.1.29-alt1ALT-PU-2024-8847-1350654Fixed
php8.1sisyphus_e2k8.1.29-alt18.1.29-alt1ALT-PU-2024-9120-1-Fixed
php8.1sisyphus_riscv648.1.29-alt18.1.29-alt1ALT-PU-2024-8970-1-Fixed
php8.1sisyphus_loongarch648.1.29-alt18.1.29-alt1ALT-PU-2024-8981-1-Fixed
php8.1p118.1.29-alt18.1.29-alt1ALT-PU-2024-8853-2350658Fixed
php8.2sisyphus8.2.20-alt18.2.20-alt1ALT-PU-2024-8849-1350656Fixed
php8.2sisyphus_e2k8.2.20-alt18.2.20-alt1ALT-PU-2024-9107-1-Fixed
php8.2sisyphus_riscv648.2.20-alt18.2.20-alt1ALT-PU-2024-9007-1-Fixed
php8.2sisyphus_loongarch648.2.20-alt18.2.20-alt1ALT-PU-2024-8982-1-Fixed
php8.2p10_e2k8.2.20-alt18.2.20-alt1ALT-PU-2024-9115-1-Fixed
php8.2p118.2.20-alt18.2.20-alt1ALT-PU-2024-8859-2350659Fixed
php8.3sisyphus8.3.8-alt18.3.8-alt1ALT-PU-2024-8855-1350657Fixed
php8.3sisyphus_e2k8.3.8-alt18.3.8-alt1ALT-PU-2024-9109-1-Fixed
php8.3sisyphus_riscv648.3.8-alt18.3.8-alt1ALT-PU-2024-8972-1-Fixed
php8.3sisyphus_loongarch648.3.8-alt18.3.8-alt1ALT-PU-2024-8983-1-Fixed
php8.3p118.3.8-alt18.3.8-alt1ALT-PU-2024-8861-2350660Fixed

References to Advisories, Solutions, and Tools

    1. Configuration 1

      cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
      Start including
      8.2.0
      End excliding
      8.2.20

      cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
      Start including
      8.3.0
      End excliding
      8.3.8

      cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
      Start including
      8.1.0
      End excliding
      8.1.29

      Configuration 2

      cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*