CVE-2019-11045Improper Null Termination in Group PHP

CWE-170Improper Null TerminationCWE-74Injection11 documents9 sources
Severity
5.9MEDIUMNVD
CNA3.7
EPSS
41.5%
top 2.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
8
PHP Group PHPTenable SecuritycenterPhp5+5 more
Timeline
PublishedDec 23
Latest updateMay 24

Description

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages5 packages

CVEListV5php_group/php7.2.x7.2.26+2
Ubuntuphp5/php5< 5.5.9+dfsg-1ubuntu4.29+esm8
NVDphp/php7.2.07.2.26+2
NVDopensuse/leap15.1

Also affects: Debian Linux 10.0, 8.0, 9.0, Fedora 30, 31, Ubuntu Linux 12.04, 14.04, 16.04, 18.04, 19.04, 19.10

Patches

Patch: bugs.php.netPatch: bugs.php.net

🔴Vulnerability Details

5
GHSA
GHSA-jv88-p4rw-4m4h: In PHP versions 72022-05-24
OSV
php5, php7.0, php7.2, php7.3 vulnerabilities2020-01-15
CVEList
DirectoryIterator class silently truncates after a null byte2019-12-23
OSV
CVE-2019-11045: In PHP versions 72019-12-23
Kernel
powerpc/tm: Fix oops on sigreturn on systems without TM2019-07-19

📋Vendor Advisories

2
Ubuntu
PHP vulnerabilities2020-01-15
Red Hat
php: DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte2019-12-22

💬Community

3
HackerOne
DirectoryIterator class silently truncates after a null byte2020-11-09
Bugzilla
CVE-2019-11045 php: PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte [fedora-all]2019-12-26
Bugzilla
CVE-2019-11045 php: DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte2019-12-26
CVE-2019-11045 — Improper Null Termination in Group PHP | cvebase