NVD Vulnerability Detail

CVE-2024-1874

Summary	In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.
Publication Date	April 29, 2024, 1:15 p.m.
Registration Date	April 29, 2024, 4 p.m.
Last Update	Nov. 21, 2024, 5:51 p.m.

Related information, measures and tools

No	URL	refsource	タグ
1	http://www.openwall.com/lists/oss-security/2024/04/12/11
2	http://www.openwall.com/lists/oss-security/2024/04/12/11
3	http://www.openwall.com/lists/oss-security/2024/06/07/1
4	http://www.openwall.com/lists/oss-security/2024/06/07/1
5	https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7
6	https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7
7	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/
8	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/
9	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/
10	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/
11	https://security.netapp.com/advisory/ntap-20240510-0009/
12	https://security.netapp.com/advisory/ntap-20240510-0009/
13	https://www.vicarius.io/vsociety/posts/command-injection-vulnerability-in-php-on-windows-systems-cve-2024-1874-and-cve-2024-5585

Common Vulnerabilities List

JVN Vulnerability Information

The PHP Group の PHP 等複数ベンダの製品におけるエンコードおよびエスケープに関する脆弱性

Title	The PHP Group の PHP 等複数ベンダの製品におけるエンコードおよびエスケープに関する脆弱性
Summary	The PHP Group の PHP 等複数ベンダの製品には、エンコードおよびエスケープに関する脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダアドバイザリまたはパッチ情報が公開されています。参考情報を参照して適切な対策を実施してください。
Publication Date	April 29, 2024, midnight
Registration Date	June 20, 2025, 10:38 a.m.
Last Update	June 20, 2025, 10:38 a.m.

Affected System

The PHP Group

PHP 8.1.0 以上 8.1.28 未満

PHP 8.2.0 以上 8.2.18 未満

PHP 8.3.0 以上 8.3.5 未満

Fedora Project

Fedora 39

Fedora 40

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2024-1874	https://www.cve.org/CVERecord?id=CVE-2024-1874
National Vulnerability Database (NVD)
2	CVE-2024-1874	https://nvd.nist.gov/vuln/detail/CVE-2024-1874

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-116	https://cwe.mitre.org/data/definitions/116.html

その他

No	Name	URL
関連文書
1	github.com (GHSA-pc52-254m-w9w7)	https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7
2	lists.fedoraproject.org (PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B)	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/
3	lists.fedoraproject.org (W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK)	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/
4	security.netapp.com (ntap-20240510-0009)	https://security.netapp.com/advisory/ntap-20240510-0009/
5	www.openwall.com (oss-security/2024/04/12/11)	http://www.openwall.com/lists/oss-security/2024/04/12/11
6	www.openwall.com (oss-security/2024/06/07/1)	http://www.openwall.com/lists/oss-security/2024/06/07/1
7	www.vicarius.io (command-injection-vulnerability-in-php-on-windows-systems-cve-2024-1874-and-cve-2024-5585)	https://www.vicarius.io/vsociety/posts/command-injection-vulnerability-in-php-on-windows-systems-cve-2024-1874-and-cve-2024-5585

Change Log

No	Changed Details	Date of change
1	[2025年06月20日] 掲載	June 20, 2025, 10:33 a.m.