CVE-2024-5585: 
PHP vulnerability analysis and mitigation

A high-severity vulnerability (CVE-2024-5585) affects PHP versions 8.1. before 8.1.29, 8.2. before 8.2.20, and 8.3.* before 8.3.8. The vulnerability is related to an incomplete fix for CVE-2024-1874, where the patch does not work if the command name includes trailing spaces. When using proc_open() command with array syntax, insufficient escaping allows malicious users to execute arbitrary commands in Windows shell if they control the command arguments (PHP Advisory, NVD).

The vulnerability has received a CVSS v3.1 base score of 8.8 (HIGH) from NIST with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, while PHP Group assigned it a score of 7.7 (HIGH) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L. The vulnerability is classified under CWE-116 (Improper Encoding or Escaping of Output) and CWE-78 (Improper Neutralization of Special Elements used in an OS Command) (NVD).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The vulnerability allows attackers to execute arbitrary commands on affected systems, potentially leading to a full compromise of affected servers (Security Online, NetApp Advisory).

The vulnerability has been patched in PHP versions 8.1.29, 8.2.20, and 8.3.8. Organizations using affected PHP versions are strongly advised to upgrade to these patched versions immediately (PHP Advisory, Fedora Update).