alpine · CVE-2024-1874

Quick triage

Priority: critical Published: Updated:

View at Official alpine advisory, NVD, CVE.org · CVE detail

Freshness: no update timestamp found; verify against the upstream OS advisory manually.

Tracker summary

CVE-2024-1874: 3 source package rows (php81, php82, php83); 12 state rows across 5 repos (3.19-community, 3.20-community, 3.21-community, 3.22-community, edge-community); fixed 12, open 0.

Description:

In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.

cvelogic Threat Intelligence