In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.

The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-52c23ef1ec advisory.

    **PHP version 8.2.20** (06 Jun 2024)

    **CGI:**

    * Fixed buffer limit on Windows, replacing read call usage by _read. (David Carlier)
    * Fixed bug [GHSA-3qgc-jrrr-25jv](https://github.com/php/php-src/security/advisories/GHSA-3qgc-jrrr-25jv)     (Bypass of CVE-2012-1823, Argument Injection in PHP-CGI). (CVE-2024-4577) (nielsdos)

    **CLI:**

    * Fixed bug [GH-14189](https://github.com/php/php-src/issues/14189) (PHP Interactive shell input state     incorrectly handles quoted heredoc literals.). (nielsdos)

    **Core:**

    * Fixed bug [GH-13970](https://github.com/php/php-src/issues/13970) (Incorrect validation of #[Attribute]     flags type for non-compile-time expressions). (ilutov)
    * Fixed bug [GH-14140](https://github.com/php/php-src/issues/14140) (Floating point bug in range operation     on Apple Silicon hardware). (Derick, Saki)

    **DOM:**

    * Fix crashes when entity declaration is removed while still having entity references. (nielsdos)
    * Fix references not handled correctly in C14N. (nielsdos)
    * Fix crash when calling childNodes next() when iterator is exhausted. (nielsdos)
    * Fix crash in ParentNode::append() when dealing with a fragment containing text nodes. (nielsdos)

    **FFI:**

    * Fixed bug [GH-14215](https://github.com/php/php-src/issues/14215) (Cannot use FFI::load on CRLF header     file with apache2handler). (nielsdos)

    **Filter:**

    * Fixed bug [GHSA-w8qr-v226-r27w](https://github.com/php/php-src/security/advisories/GHSA-w8qr-v226-r27w)     (Filter bypass in filter_var FILTER_VALIDATE_URL). (**CVE-2024-5458**) (nielsdos)

    **FPM:**

    * Fix bug [GH-14175](https://github.com/php/php-src/issues/14175) (Show decimal number instead of     scientific notation in systemd status). (Benjamin Cremer)

    **Hash:**

    * ext/hash: Swap the checking order of `__has_builtin` and `__GNUC__` (Saki Takamachi)

    **Intl:**

    * Fixed build regression on systems without C++17 compilers. (Calvin Buckley, Peter Kokot)

    **Ini:**

    * Fixed bug [GH-14100](https://github.com/php/php-src/issues/14100) (Corrected spelling mistake in php.ini     files). (Marcus Xavier)

    **MySQLnd:**

    * Fix bug [GH-14255](https://github.com/php/php-src/issues/14255) (mysqli_fetch_assoc reports error from     nested query). (Kamil Tekiela)

    **Opcache:**

    * Fixed bug [GH-14109](https://github.com/php/php-src/issues/14109) (Fix accidental persisting of internal     class constant in shm). (ilutov)

    **OpenSSL:**

    * The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is     the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes     the changes from this pull request: https://github.com/openssl/openssl/pull/13817     (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to     stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since     the previous release. All distributors and builders should ensure that this version is used to prevent PHP     from being vulnerable. (**CVE-2024-2408**)

    **Standard:**

    * Fixed bug [GHSA-9fcc-425m-g385](https://github.com/php/php-src/security/advisories/GHSA-9fcc-425m-g385)     (Bypass of CVE-2024-1874). (CVE-2024-5585) (nielsdos)

    **XML:**

    * Fixed bug [GH-14124](https://github.com/php/php-src/issues/14124) (Segmentation fault with XML extension     under certain memory limit). (nielsdos)

    **XMLReader:**

    * Fixed bug [GH-14183](https://github.com/php/php-src/issues/14183) (XMLReader::open() can't be     overridden). (nielsdos)



Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 40 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-49aba7b305 advisory.

    **PHP version 8.3.8** (06 Jun 2024)

    **CGI:**

    * Fixed buffer limit on Windows, replacing read call usage by _read. (David Carlier)
    * Fixed bug [GHSA-3qgc-jrrr-25jv](https://github.com/php/php-src/security/advisories/GHSA-3qgc-jrrr-25jv)     (Bypass of CVE-2012-1823, Argument Injection in PHP-CGI). (CVE-2024-4577) (nielsdos)

    **CLI:**

    * Fixed bug [GH-14189](https://github.com/php/php-src/issues/14189) (PHP Interactive shell input state     incorrectly handles quoted heredoc literals.). (nielsdos)

    **Core:**

    * Fixed bug [GH-13970](https://github.com/php/php-src/issues/13970) (Incorrect validation of #[Attribute]     flags type for non-compile-time expressions). (ilutov)

    **DOM:**

    * Fix crashes when entity declaration is removed while still having entity references. (nielsdos)
    * Fix references not handled correctly in C14N. (nielsdos)
    * Fix crash when calling childNodes next() when iterator is exhausted. (nielsdos)
    * Fix crash in ParentNode::append() when dealing with a fragment containing text nodes. (nielsdos)

    **Filter:**

    * Fixed bug [GHSA-w8qr-v226-r27w](https://github.com/php/php-src/security/advisories/GHSA-w8qr-v226-r27w)     (Filter bypass in filter_var FILTER_VALIDATE_URL). (**CVE-2024-5458**) (nielsdos)

    **FPM:**

    * Fix bug [GH-14175](https://github.com/php/php-src/issues/14175) (Show decimal number instead of     scientific notation in systemd status). (Benjamin Cremer)

    **Hash:**

    * ext/hash: Swap the checking order of `__has_builtin` and `__GNUC__` (Saki Takamachi)

    **Intl:**

    * Fixed build regression on systems without C++17 compilers. (Calvin Buckley, Peter Kokot)

    **MySQLnd:**

    * Fix bug [GH-14255](https://github.com/php/php-src/issues/14255) (mysqli_fetch_assoc reports error from     nested query). (Kamil Tekiela)

    **Opcache:**

    * Fixed bug [GH-14109](https://github.com/php/php-src/issues/14109) (Fix accidental persisting of internal     class constant in shm). (ilutov)

    **OpenSSL:**

    * The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is     the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes     the changes from this pull request: https://github.com/openssl/openssl/pull/13817     (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to     stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since     the previous release. All distributors and builders should ensure that this version is used to prevent PHP     from being vulnerable. (**CVE-2024-2408**)

    **Standard:**

    * Fixed bug [GHSA-9fcc-425m-g385](https://github.com/php/php-src/security/advisories/GHSA-9fcc-425m-g385)     (Bypass of CVE-2024-1874). (CVE-2024-5585) (nielsdos)

    **XML:**

    * Fixed bug [GH-14124](https://github.com/php/php-src/issues/14124) (Segmentation fault with XML extension     under certain memory limit). (nielsdos)

    **XMLReader:**

    * Fixed bug [GH-14183](https://github.com/php/php-src/issues/14183) (XMLReader::open() can't be     overridden). (nielsdos)


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the version of PHP installed on the remote host is 8.1.x prior to 8.1.29, 8.2.x prior to 8.2.20, or 8.3.x prior to 8.3.8. It is, therefore, affected by multiple vulnerabilities:

 - An argument Injection in PHP-CGI with a bypass of CVE-2012-1823. (CVE-2024-4577)

 - A filter bypass in filter_var FILTER_VALIDATE_URL. (CVE-2024-5458)

 - A bypass of CVE-2024-1874. (CVE-2024-5585)

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of php81 installed on the remote host is prior to 8.1.29 / 8.3.8. It is, therefore, affected by multiple vulnerabilities as referenced in the SSA:2024-158-01 advisory.

    New php packages are available for Slackware 15.0 and -current to fix security issues.

Tenable has extracted the preceding description block directly from the php81 security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of PHP installed on the remote host is prior to 8.1.29. It is, therefore, affected by multiple vulnerabilities as referenced in the Version 8.1.29 advisory.

  - sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-     cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote     attackers to execute arbitrary code by placing command-line options in the query string, related to lack     of skipping a certain php_getopt for the 'd' case. (CVE-2012-1823)

  - In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open()     command with array syntax, due to insufficient escaping, if the arguments of the executed command are     controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in     Windows shell. (CVE-2024-1874)

  - In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-     CGI on Windows, if the system is set up to use certain code pages, Windows may use Best-Fit behavior to     replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those     characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and     thus reveal the source code of scripts, run arbitrary PHP code on the server, etc. (CVE-2024-4577)

  - In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error,     filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of     URLs the function will result in invalid user information (username + password part of URLs) being treated     as valid user information. This may lead to the downstream code accepting invalid URLs as valid and     parsing them incorrectly. (CVE-2024-5458)

  - In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874     does not work if the command name includes trailing spaces. Original issue: when using proc_open() command     with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled     by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.
    (CVE-2024-5585)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of PHP installed on the remote host is prior to 8.2.20. It is, therefore, affected by multiple vulnerabilities as referenced in the Version 8.2.20 advisory.

  - sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-     cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote     attackers to execute arbitrary code by placing command-line options in the query string, related to lack     of skipping a certain php_getopt for the 'd' case. (CVE-2012-1823)

  - In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open()     command with array syntax, due to insufficient escaping, if the arguments of the executed command are     controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in     Windows shell. (CVE-2024-1874)

  - In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-     CGI on Windows, if the system is set up to use certain code pages, Windows may use Best-Fit behavior to     replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those     characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and     thus reveal the source code of scripts, run arbitrary PHP code on the server, etc. (CVE-2024-4577)

  - In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error,     filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of     URLs the function will result in invalid user information (username + password part of URLs) being treated     as valid user information. This may lead to the downstream code accepting invalid URLs as valid and     parsing them incorrectly. (CVE-2024-5458)

  - In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874     does not work if the command name includes trailing spaces. Original issue: when using proc_open() command     with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled     by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.
    (CVE-2024-5585)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of PHP installed on the remote host is prior to 8.3.8. It is, therefore, affected by multiple vulnerabilities as referenced in the Version 8.3.8 advisory.

  - sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-     cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote     attackers to execute arbitrary code by placing command-line options in the query string, related to lack     of skipping a certain php_getopt for the 'd' case. (CVE-2012-1823)

  - In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open()     command with array syntax, due to insufficient escaping, if the arguments of the executed command are     controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in     Windows shell. (CVE-2024-1874)

  - In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-     CGI on Windows, if the system is set up to use certain code pages, Windows may use Best-Fit behavior to     replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those     characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and     thus reveal the source code of scripts, run arbitrary PHP code on the server, etc. (CVE-2024-4577)

  - In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error,     filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of     URLs the function will result in invalid user information (username + password part of URLs) being treated     as valid user information. This may lead to the downstream code accepting invalid URLs as valid and     parsing them incorrectly. (CVE-2024-5458)

  - In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874     does not work if the command name includes trailing spaces. Original issue: when using proc_open() command     with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled     by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.
    (CVE-2024-5585)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
200458	Fedora 39 : php (2024-52c23ef1ec)	Nessus	Fedora Local Security Checks	critical
200375	Fedora 40 : php (2024-49aba7b305)	Nessus	Fedora Local Security Checks	critical
114298	PHP 8.1.x < 8.1.29 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
114297	PHP 8.2.x < 8.2.20 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
114296	PHP 8.3.x < 8.3.8 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
200177	Slackware Linux 15.0 / current php81 Multiple Vulnerabilities (SSA:2024-158-01)	Nessus	Slackware Local Security Checks	critical
200170	PHP 8.1.x < 8.1.29 Multiple Vulnerabilities	Nessus	CGI abuses	critical
200162	PHP 8.2.x < 8.2.20 Multiple Vulnerabilities	Nessus	CGI abuses	critical
200161	PHP 8.3.x < 8.3.8 Multiple Vulnerabilities	Nessus	CGI abuses	critical

Detections

Analytics

CVE-2024-5585

high

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical

critical