CVE-2024-1874

Name of the Vulnerable Software and Affected Versions PHP versions prior to 8.1.29, prior to 8.2.20, and prior to 8.3.8 GHC versions 9.6.5, 9.8.3, and 9.10.1-alpha3

Description A command injection vulnerability exists in PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, and 8.3.* before 8.3.8 when using the proc open() function with array syntax. Insufficient escaping allows a malicious user to supply arguments that can execute arbitrary commands in the Windows shell. This vulnerability also affects the process library on Windows, where the cmd.exe interpreter is susceptible to command injection when executing .bat or .cmd files with arguments influenced by program input. The CreateProcess function implicitly spawns cmd.exe without proper escaping of special characters, leading to potential command injection. The initial fix for CVE-2024-1874 does not fully address the issue if the command name includes trailing spaces. The RawCommand constructor serializes the executable name and arguments into a single command line string, which is then passed to the CreateProcess function.

Recommendations Upgrade PHP to version 8.1.29 or later. Upgrade PHP to version 8.2.20 or later. Upgrade PHP to version 8.3.8 or later. Upgrade the process library to version 1.6.19.0 or later. Upgrade GHC to version 9.6.5 or later. Upgrade GHC to version 9.8.3 or later. Upgrade GHC to version 9.10.1-alpha3 or later. Avoid executing batch files with arguments derived from untrusted input. If batch file execution is necessary with untrusted input, reject arguments containing special characters like & and " to mitigate the risk.