cbcvebase.
CVE-2019-11045
published 2019-12-23

CVE-2019-11045: In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as…

PriorityP339medium5.9CVSS 3.1
AVNACHPRNUINSUCHINAN
EPSS
8.82%
94.5th percentile
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.

Affected

20 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debiandebian_linux
fedoraprojectfedora
fedoraprojectfedora
opensuseleap
phpphp
phpphp7.2.0 – 7.2.26
phpphp7.3.0 – 7.3.13
php5php5>= 0 < 5.5.9+dfsg-1ubuntu4.29+esm85.5.9+dfsg-1ubuntu4.29+esm8
php_groupphp>= 7.2.x < 7.2.267.2.26
php_groupphp>= 7.3.x < 7.3.137.3.13
php_groupphp>= 7.4.x < 7.4.17.4.1
tenablesecuritycenter< 5.19.05.19.0

CVSS provenance

nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
osv5.9MEDIUM
vendor_redhat3.7LOW
vendor_ubuntu3.7LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.