CVE-2019-11045
Summary
| CVE | CVE-2019-11045 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2019-12-23 03:15:00 UTC |
| Updated | 2023-11-07 03:02:00 UTC |
| Description | In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access. |
Risk And Classification
Problem Types: CWE-74
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Canonical | Ubuntu Linux | 12.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 12.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 14.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 16.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 16.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 18.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 19.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 19.10 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 12.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 14.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 16.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 18.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 19.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 19.10 | All | All | All |
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 8.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 8.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Operating System | Fedoraproject | Fedora | 30 | All | All | All |
| Operating System | Fedoraproject | Fedora | 31 | All | All | All |
| Operating System | Fedoraproject | Fedora | 30 | All | All | All |
| Operating System | Fedoraproject | Fedora | 31 | All | All | All |
| Operating System | Opensuse | Leap | 15.1 | All | All | All |
| Operating System | Opensuse | Leap | 15.1 | All | All | All |
| Application | Php | Php | 7.4.0 | All | All | All |
| Application | Php | Php | 7.4.0 | All | All | All |
| Application | Php | Php | All | All | All | All |
| Application | Php | Php | All | All | All | All |
| Application | Tenable | Securitycenter | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [SECURITY] Fedora 31 Update: php-7.3.13-1.fc31 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | Third Party Advisory |
| Bugtraq: [SECURITY] [DSA 4626-1] php7.3 security update | BUGTRAQ | seclists.org | Mailing List, Third Party Advisory |
| [SECURITY] [DLA 2050-1] php5 security update | MLIST | lists.debian.org | Mailing List, Third Party Advisory |
| [SECURITY] Fedora 30 Update: php-7.3.13-1.fc30 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [R1] Tenable.sc 5.19.0 Fixes Multiple Third-party Vulnerabilities - Security Advisory | Tenable® | CONFIRM | www.tenable.com | |
| Debian -- Security Information -- DSA-4628-1 php7.0 | DEBIAN | www.debian.org | Third Party Advisory |
| Debian -- Security Information -- DSA-4626-1 php7.3 | DEBIAN | www.debian.org | Third Party Advisory |
| [SECURITY] Fedora 30 Update: php-7.3.13-1.fc30 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | Third Party Advisory |
| [security-announce] openSUSE-SU-2020:0080-1: moderate: Security update f | SUSE | lists.opensuse.org | Mailing List, Third Party Advisory |
| Bugtraq: Re: [SECURITY] [DSA 4628-1] php7.0 security update | BUGTRAQ | seclists.org | Mailing List, Third Party Advisory |
| Bugtraq: [SECURITY] [DSA 4628-1] php7.0 security update | BUGTRAQ | seclists.org | Mailing List, Third Party Advisory |
| USN-4239-1: PHP vulnerabilities | Ubuntu security notices | Ubuntu | UBUNTU | usn.ubuntu.com | Third Party Advisory |
| PHP :: Sec Bug #78863 :: DirectoryIterator class silently truncates after a null byte | MISC | bugs.php.net | Exploit, Mailing List, Patch, Vendor Advisory |
| [SECURITY] Fedora 31 Update: php-7.3.13-1.fc31 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| December 2019 PHP Vulnerabilities in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Submitted by ryat at php.net
Legacy QID Mappings
- 296076 Oracle Solaris 11.4 Support Repository Update (SRU) 19.3.0 Missing (CPUJAN2020)
- 501134 Alpine Linux Security Update for php7
- 752878 SUSE Enterprise Linux Security Update for php7 (SUSE-SU-2022:4067-1)
- 940250 AlmaLinux Security Update for php:7.3 (ALSA-2020:3662)
- 960421 Rocky Linux Security Update for php:7.3 (RLSA-2020:3662)