CVE-2019-11049 — MEDIUM (6.5)

Q: How severe is CVE-2019-11049?

CVE-2019-11049 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-11049?

Check the references section above for vendor advisories and patch information. Affected products include: Php Php, Microsoft Windows, Fedoraproject Fedora, Debian Debian Linux, Tenable Securitycenter.

Vulnerability Description

In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is supplied in lowercase, this can result in double-freeing certain memory locations.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

HIGH

Affected Products

Vendor	Product	Versions
Php	Php	>= 7.3.0, <= 7.3.13
Microsoft	Windows	-
Fedoraproject	Fedora	30
Debian	Debian Linux	10.0
Tenable	Securitycenter	< 5.19.0

Related Weaknesses (CWE)

CWE-415

References

https://bugs.php.net/bug.php?id=78943Mailing ListPatchVendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://seclists.org/bugtraq/2020/Feb/27Mailing ListThird Party Advisory
https://security.netapp.com/advisory/ntap-20200103-0002/Third Party Advisory
https://www.debian.org/security/2020/dsa-4626Third Party Advisory
https://www.tenable.com/security/tns-2021-14Third Party Advisory
https://bugs.php.net/bug.php?id=78943Mailing ListPatchVendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://seclists.org/bugtraq/2020/Feb/27Mailing ListThird Party Advisory
https://security.netapp.com/advisory/ntap-20200103-0002/Third Party Advisory
https://www.debian.org/security/2020/dsa-4626Third Party Advisory
https://www.tenable.com/security/tns-2021-14Third Party Advisory

FAQ

What is CVE-2019-11049?

CVE-2019-11049 is a vulnerability with a CVSS score of 6.5 (MEDIUM). In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header i...

How severe is CVE-2019-11049?

CVE-2019-11049 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-11049?

Check the references section above for vendor advisories and patch information. Affected products include: Php Php, Microsoft Windows, Fedoraproject Fedora, Debian Debian Linux, Tenable Securitycenter.