CVE Vulnerability

CVE-2019-11045

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.

4.3 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8.6 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

Scope

5.9 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://bugs.php.net/bug.php?id=78863 Exploit Mailing List
https://lists.debian.org/debian-lts-announce/2019/12/msg00034.html Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20200103-0002/ Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7GCOAE6KVHYJ3UQ4KLPLTGSLX6IRVRN/ Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWRQPYXVG43Q7DXMXH6UVWMKWGUW552F/ Third Party Advisory
https://usn.ubuntu.com/4239-1/ Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00036.html Mailing List Third Party Advisory
https://seclists.org/bugtraq/2020/Feb/27 Mailing List Third Party Advisory
https://www.debian.org/security/2020/dsa-4626 Third Party Advisory
https://seclists.org/bugtraq/2020/Feb/31 Mailing List Third Party Advisory
https://www.debian.org/security/2020/dsa-4628 Third Party Advisory
https://seclists.org/bugtraq/2021/Jan/3 Mailing List Third Party Advisory
https://www.tenable.com/security/tns-2021-14 Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:php:php:7.4.0:*:*:*:*:*:*:*
cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
cpe:2.3:a:tenable:securitycenter:*:*:*:*:*:*:*:*
Information

Published : 2019-12-23 03:15

Updated : 2022-12-20 09:38

NVD link : CVE-2019-11045

Mitre link : CVE-2019-11045

Products Affected

Securitycenter

Tenable

CWE
CWE-74