CVE-2024-29895: Php Server Argv To Shell Exec Without Cast
Untrusted input read from $_SERVER['argv'] is passed to a shell-invoking function without integer casting, intval(), or shell-argument escaping. When PHP's register_argc_argv directive is On (the default in many environments, including the official PHP Docker image), URL query-string tokens populate $_SERVER['argv'] for HTTP-served scripts, so an unauthentic
greprules fetch cve-2024-29895-php-server-argv-to-shell-exec-without-cast --engine opengrepDescription
Untrusted input read from $_SERVER['argv'] is passed to a shell-invoking function without integer casting, intval(), or shell-argument escaping. When PHP's register_argc_argv directive is On (the default in many environments, including the official PHP Docker image), URL query-string tokens populate $_SERVER['argv'] for HTTP-served scripts, so an unauthentic
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.