{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-56145","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2024-12-16T18:04:39.983Z","datePublished":"2024-12-18T20:37:34.301Z","dateUpdated":"2025-10-21T22:55:33.949Z"},"containers":{"cna":{"title":"RCE when PHP `register_argc_argv` config setting is enabled in craftcms/cms","problemTypes":[{"descriptions":[{"cweId":"CWE-94","lang":"en","description":"CWE-94: Improper Control of Generation of Code ('Code Injection')","type":"CWE"}]}],"metrics":[{"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","baseScore":9.3,"baseSeverity":"CRITICAL","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","version":"4.0"}}],"references":[{"name":"https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9","tags":["x_refsource_CONFIRM"],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9"},{"name":"https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3","tags":["x_refsource_MISC"],"url":"https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3"}],"affected":[{"vendor":"craftcms","product":"cms","versions":[{"version":">= 4.0.0-RC1, < 4.13.2","status":"affected"},{"version":">= 5.0.0-RC1, < 5.5.2","status":"affected"},{"version":">= 3.0.0, < 3.9.14","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2024-12-19T20:13:33.762Z"},"descriptions":[{"lang":"en","value":"Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code execution vector is present. Users are advised to update to version 3.9.14, 4.13.2, or 5.5.2. Users unable to upgrade should disable `register_argc_argv` to mitigate the issue."}],"source":{"advisory":"GHSA-2p6p-9rc9-62j9","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2024-56145","role":"CISA Coordinator","options":[{"Exploitation":"active"},{"Automatable":"yes"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2025-06-06T03:55:30.076301Z"}}},{"other":{"type":"kev","content":{"dateAdded":"2025-06-02","reference":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-56145"}}}],"references":[{"url":"https://github.com/Chocapikk/CVE-2024-56145","tags":["exploit"]},{"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-56145","tags":["government-resource"]}],"timeline":[{"time":"2025-06-02T00:00:00.000Z","lang":"en","value":"CVE-2024-56145 added to CISA KEV"}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-10-21T22:55:33.949Z"}}]}}