cbcvebase.
CVE-2019-11049
published 2019-12-23

CVE-2019-11049: In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit…

PriorityP351critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
4.22%
89.7th percentile
In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is supplied in lowercase, this can result in double-freeing certain memory locations.

Affected

8 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
fedoraprojectfedora
fedoraprojectfedora
phpphp
phpphp7.3.0 – 7.3.13
php_groupphp>= 7.3.x < 7.3.137.3.13
php_groupphp>= 7.4.x < 7.4.17.4.1
tenablesecuritycenter< 5.19.05.19.0

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.