Multiple vulnerabilities in PHP

Published: 2019-02-08 20:49:05
Severity Low
Patch available YES
Number of vulnerabilities 14
CVE ID N/A
CVSSv3 6.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
6.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
7.4 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H/E:P/RL:O/RC:C]
6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CWE ID CWE-665
CWE-119
CWE-264
CWE-401
CWE-617
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Public exploit code for vulnerability #4 is available.
Public exploit code for vulnerability #6 is available.
Vulnerable software PHP
Vulnerable software versions PHP 7.3.1
PHP 7.3.0alpha4
PHP 7.3.0beta1

Show more

Vendor URL PHP Group

Security Advisory

1) Segmentation fault

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to a flaw when two RecursiveFilterIterator are added to RecursiveDirectoryIterator. A remote attacker can trigger segmentation fault and cause the service to crash.

Remediation

Update to version 7.3.2.

External links

https://bugs.php.net/bug.php?id=77263

2) Memory corruption

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to boundary error in the function zend_cpu_supports_avx2(). A remote attacker can trigger memory corruption that may cause segfault and lead to denial of service.

Remediation

Update to version 7.3.2.

External links

https://bugs.php.net/bug.php?id=77447

3) Denial of service

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to an error when calling realpath in an invalid working directory. A remote attacker can cause zend engine to crash.

Remediation

Update to version 7.3.2.

External links

https://bugs.php.net/bug.php?id=77484

4) Segmentation fault

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to a flaw when using `CURLOPT_WRITEFUNCTION` and `CURLOPT_HEADERFUNCTION` in `CURLMOPT_PUSHFUNCTION`. A remote attacker can trigger segmentation fault and cause the service to crash.

Remediation

Update to version 7.2.15, 7.3.2.

External links

https://bugs.php.net/bug.php?id=76675

5) Denial of service

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to unspecified flaw. A remote attacker can cause php-fpm crash with Main process exited, code=dumped, status=11/SEGV.

Remediation

Update to version 7.3.2.

External links

https://bugs.php.net/bug.php?id=77430

6) Memory leak

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information or cause DoS condition on the target system.

The weakness exists due to unbuffered queries memory leak. A remote attacker can gain access to arbitrary data or cause the service to crash.

Remediation

Update to version 7.3.2.

External links

https://bugs.php.net/bug.php?id=77308

7) Assertion failure

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to assertion failed in dce_live_ranges. A remote attacker can trigger assertion failure and cause the service to crash.

Remediation

Update to version 7.3.2.

External links

https://bugs.php.net/bug.php?id=77266

8) Segmentation fault

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to a flaw when using the "Advanced Editor" plugin in the BBS software Vanilla with an empty cache (the app's internal caching engine that is) the button row is missing. A remote attacker can trigger segmentation fault in zend_gc_addref and cause the service to crash.

Remediation

Update to version 7.3.2.

External links

https://bugs.php.net/bug.php?id=77434

9) Segmentation fault

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to a flaw when using the "Advanced Editor" plugin in the BBS software Vanilla with an empty cache (the app's internal caching engine that is) the button row is missing. A remote attacker can trigger segmentation fault with persistent connection and cause the service to crash.

Remediation

Update to version 7.3.2.

External links

https://bugs.php.net/bug.php?id=77289

10) Segmentation fault

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to segmentation fault when executing method with an empty parameter. A remote attacker can cause the service to crash.

Remediation

Update to version 7.3.2.

External links

https://bugs.php.net/bug.php?id=77410

11) Segmentation fault

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to segmentation fault when add property to unserialized ArrayObject. A remote attacker can cause the service to crash.

Remediation

Update to version 7.3.2.

External links

https://bugs.php.net/bug.php?id=77298

12) Segmentation fault

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to segmentation fault about array_multisort ?. A remote attacker can cause the service to crash.

Remediation

Update to version 7.2.15, 7.3.2.

External links

https://bugs.php.net/bug.php?id=77395

13) Segmentation fault

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to parse_str segfaults when inserting item into existing array. A remote attacker can cause the service to crash.

Remediation

Update to version 7.2.15, 7.3.2.

External links

https://bugs.php.net/bug.php?id=77439

14) Denial of service

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to a flaw when an expression such as `(2)::class` (with brackets) is parsed in source code. A remote attacker can trigger segmentation fault and cause the service to crash.

Remediation

Update to version 7.2.15.

External links

https://bugs.php.net/bug.php?id=77530

Back to List