CVE-2019-9637Incorrect Privilege Assignment in PHP

CWE-264CWE-266Incorrect Privilege Assignment12 documents7 sources
Severity
7.5HIGHNVD
EPSS
9.9%
top 6.99%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
PHPPhp5Canonical Ubuntu Linux+2 more
Timeline
PublishedMar 9
Latest updateJan 27

Description

An issue was discovered in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. Due to the way rename() across filesystems is implemented, it is possible that file being renamed is briefly available with wrong permissions while the rename is ongoing, thus enabling unauthorized users to access the data.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDphp/php7.2.07.2.16+2
Ubuntuphp5/php5< 5.5.9+dfsg-1ubuntu4.29
NVDopensuse/leap42.3

Also affects: Debian Linux 8.0, 9.0, Ubuntu Linux 12.04, 14.04, 16.04, 18.04, 18.10

Patches

Patch: bugs.php.netPatch: bugs.php.net

🔴Vulnerability Details

4
GHSA
GHSA-hq76-774r-jcwj: An issue was discovered in PHP before 72022-05-14
OSV
php5 vulnerabilities2019-04-23
OSV
php7.0, php7.2 vulnerabilities2019-03-26
OSV
CVE-2019-9637: An issue was discovered in PHP before 72019-03-08

📋Vendor Advisories

5
CISA ICS
Festo Didactic SE MES PC2026-01-27
Ubuntu
PHP vulnerabilities2019-04-25
Ubuntu
PHP vulnerabilities2019-04-23
Ubuntu
PHP vulnerabilities2019-03-26
Red Hat
php: File rename across filesystems may allow unwanted access during processing2019-02-18

💬Community

2
Bugzilla
CVE-2019-9637 php: rename function across the device may allow unwanted access during processing [fedora-all]2019-03-14
Bugzilla
CVE-2019-9637 php: File rename across filesystems may allow unwanted access during processing2019-03-14