CVE-2019-11044 — Improper Null Termination in Group PHP

CWE-170 — Improper Null Termination6 documents6 sources

Severity

7.5HIGHNVD

CNA3.7

EPSS

8.0%

top 7.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

PHP Group PHP Tenable Securitycenter PHP +1 more

Timeline

PublishedDec 23

Latest updateMay 24

Description

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 on Windows, PHP link() function accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDtenable/securitycenter< 5.19.0

▶CVEListV5php_group/php7.2.x — 7.2.26+2

▶NVDphp/php7.2.0 — 7.2.26+2

Also affects: Fedora 30, 31

Patches

Patch: bugs.php.net ↗Patch: bugs.php.net ↗

🔴Vulnerability Details

GHSA

GHSA-c8cf-pj9v-fcr9: In PHP versions 7↗2022-05-24

▶

CVEList

link() silently truncates after a null byte on Windows↗2019-12-23

▶

📋Vendor Advisories

Red Hat

php: link function accepts filenames with embedded null byte and treats them as terminating at that byte on Windows↗2019-11-23

▶

💬Community

HackerOne

PHP link() silently truncates after a null byte on Windows↗2020-11-09

▶

Bugzilla

CVE-2019-11044 php: link function accepts filenames with embedded null byte and treats them as terminating at that byte on Windows↗2020-01-08

▶