CVE-2024-4577
CVSS v3.1
9.8 (Critical)
EPSS
96.32 % (100th)
Affected Products
2
Advisories
5
NVD Status
Analyzed
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
Weaknesses
- CWE-78
- Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- CVE Status
- PUBLISHED
- NVD Status
- Analyzed
- CNA
- PHP Group
- Published Date
-
2024-06-09 20:15:09
(3 months ago) - Updated Date
-
2024-08-14 19:23:47
(3 weeks ago)
PHP-CGI OS Command Injection Vulnerability (CISA - Known Exploited Vulnerabilities Catalog)
- Description
- PHP, specifically Windows-based PHP used in CGI mode, contains an OS command injection vulnerability that allows for arbitrary code execution. This vulnerability is a patch bypass for CVE-2012-1823.
- Required Action
- Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
- Known to be Used in Ransomware Campaigns
- Known
- Notes
- This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://www.php.net/ChangeLog-8.php#
- Vendor
- PHP Group
- Product
- PHP
- In CISA Catalog from
-
2024-06-12
(2 months ago) - Due Date
-
2024-07-03
(2 months ago)
Affected Products
Loading...
Loading...
Loading...
Configuration #1
|
Configuration #2
|
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...