CVE-2024-1874
Public on 2024-04-15
Modified on 2024-04-15
Description
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation when processing array-ish $command parameter of proc_open. A remote attacker can pass specially crafted input to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
The vulnerability exists due to improper input validation when processing array-ish $command parameter of proc_open. A remote attacker can pass specially crafted input to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Severity
Important
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 1 | php | Not Affected | ||
| Amazon Linux 2 - Core | php | Not Affected | ||
| Amazon Linux 2 - Php8.1 Extra | php | Not Affected | ||
| Amazon Linux 2 - Php8.2 Extra | php | Not Affected | ||
| Amazon Linux 1 | php56 | Not Affected | ||
| Amazon Linux 2023 | php8.1 | Not Affected | ||
| Amazon Linux 2023 | php8.2 | Not Affected |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| NVD | CVSSv3 | 9.4 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L |