Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2024-56145

CVE-2024-56145:
Craft CMS has potential RCE when PHP `register_argc_argv` config setting is enabled

9.3

CVSS Score

Basic Information

CVE ID
CVE-2024-56145
GHSA ID
GHSA-2p6p-9rc9-62j9
EPSS Score
-
CWE
CWE-78
Published
12/18/2024
Updated
12/19/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Package NameEcosystemVulnerable VersionsFirst Patched Version
craftcms/cmscomposer>= 5.0.0-RC1, < 5.5.25.5.2
craftcms/cmscomposer>= 4.0.0-RC1, < 4.13.24.13.2
craftcms/cmscomposer>= 3.0.0, < 3.9.143.9.14

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper handling of CLI arguments in web context. The patch modifies how $findConfig retrieves configuration values by adding a check for console mode before using App::cliOption. This indicates that the original implementation of App::cliOption usage in $findConfig was vulnerable to argument injection via $_SERVER['argv'] population in web requests when register_argc_argv is enabled. The CWEs (OS Command Injection and Code Injection) suggest these functions were involved in improperly sanitized input flow that could lead to code execution.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t You *r* *****t** i* your p*p.ini *on*i*ur*tion **s `r**ist*r_*r**_*r*v` *n**l**. ### P*t***s Up**t* to *.*.**, *.**.*, or *.*.*. ### Work*roun*s I* you **n't up*r*** y*t, *n* `r**ist*r_*r**_*r*v` is *n**l**, you **n *is**l* it to miti**t

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* *LI *r*um*nts in w** *ont*xt. T** p*t** mo*i*i*s *ow $*in**on*i* r*tri*v*s *on*i*ur*tion v*lu*s *y ***in* * ****k *or *onsol* mo** ***or* usin* *pp::*liOption. T*is in*i**t*s t**t t** ori*in*l impl*m*