Vulnerability Description
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren't ASCII numbers. This can read to disclosure of the content of some memory locations.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Php | Php | >= 7.2.0, <= 7.2.26 |
| Debian | Debian Linux | 8.0 |
| Fedoraproject | Fedora | 30 |
| Opensuse | Leap | 15.1 |
| Canonical | Ubuntu Linux | 12.04 |
| Tenable | Securitycenter | < 5.19.0 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00036.htmlThird Party Advisory
- https://bugs.php.net/bug.php?id=78878Mailing ListPatchVendor Advisory
- https://lists.debian.org/debian-lts-announce/2019/12/msg00034.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://seclists.org/bugtraq/2020/Feb/27Mailing ListThird Party Advisory
- https://seclists.org/bugtraq/2020/Feb/31Mailing ListThird Party Advisory
- https://seclists.org/bugtraq/2021/Jan/3Mailing ListThird Party Advisory
- https://security.netapp.com/advisory/ntap-20200103-0002/Third Party Advisory
- https://support.f5.com/csp/article/K48866433?utm_source=f5support&%3Butm_medi
- https://usn.ubuntu.com/4239-1/Third Party Advisory
- https://www.debian.org/security/2020/dsa-4626Third Party Advisory
- https://www.debian.org/security/2020/dsa-4628Third Party Advisory
- https://www.tenable.com/security/tns-2021-14Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00036.htmlThird Party Advisory
FAQ
What is CVE-2019-11046?
CVE-2019-11046 is a vulnerability with a CVSS score of 3.7 (LOW). In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying...
How severe is CVE-2019-11046?
CVE-2019-11046 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-11046?
Check the references section above for vendor advisories and patch information. Affected products include: Php Php, Debian Debian Linux, Fedoraproject Fedora, Opensuse Leap, Canonical Ubuntu Linux.