CVE-2019-11045 — LOW (3.7) — White Hats Nepal

Q: How severe is CVE-2019-11045?

CVE-2019-11045 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-11045?

Check the references section above for vendor advisories and patch information. Affected products include: Php Php, Fedoraproject Fedora, Debian Debian Linux, Opensuse Leap, Canonical Ubuntu Linux.

Vulnerability Description

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.

CVSS Score

3.7

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Php	Php	>= 7.2.0, <= 7.2.26
Fedoraproject	Fedora	30
Debian	Debian Linux	8.0
Opensuse	Leap	15.1
Canonical	Ubuntu Linux	12.04
Tenable	Securitycenter	< 5.19.0

Related Weaknesses (CWE)

CWE-74 CWE-170

References

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00036.htmlMailing ListThird Party Advisory
https://bugs.php.net/bug.php?id=78863ExploitMailing ListPatch
https://lists.debian.org/debian-lts-announce/2019/12/msg00034.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://seclists.org/bugtraq/2020/Feb/27Mailing ListThird Party Advisory
https://seclists.org/bugtraq/2020/Feb/31Mailing ListThird Party Advisory
https://seclists.org/bugtraq/2021/Jan/3Mailing ListThird Party Advisory
https://security.netapp.com/advisory/ntap-20200103-0002/Third Party Advisory
https://usn.ubuntu.com/4239-1/Third Party Advisory
https://www.debian.org/security/2020/dsa-4626Third Party Advisory
https://www.debian.org/security/2020/dsa-4628Third Party Advisory
https://www.tenable.com/security/tns-2021-14Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00036.htmlMailing ListThird Party Advisory
https://bugs.php.net/bug.php?id=78863ExploitMailing ListPatch

FAQ

What is CVE-2019-11045?

CVE-2019-11045 is a vulnerability with a CVSS score of 3.7 (LOW). In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to se...

How severe is CVE-2019-11045?

CVE-2019-11045 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-11045?

Check the references section above for vendor advisories and patch information. Affected products include: Php Php, Fedoraproject Fedora, Debian Debian Linux, Opensuse Leap, Canonical Ubuntu Linux.