cbcvebase.
CVE-2019-11044
published 2019-12-23

CVE-2019-11044: In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 on Windows, PHP link() function accepts filenames with embedded \0 byte and treats them as…

PriorityP345high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
5.12%
91.3th percentile
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 on Windows, PHP link() function accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.

Affected

9 ranges
VendorProductVersion rangeFixed in
fedoraprojectfedora
fedoraprojectfedora
phpphp
phpphp7.2.0 – 7.2.26
phpphp7.3.0 – 7.3.13
php_groupphp>= 7.2.x < 7.2.267.2.26
php_groupphp>= 7.3.x < 7.3.137.3.13
php_groupphp>= 7.4.x < 7.4.17.4.1
tenablesecuritycenter< 5.19.05.19.0

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.