Resource exhaustion in php7 (Alpine package)
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2019-11048 |
| CWE-ID | CWE-400 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
php7 (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Resource exhaustion
EUVDB-ID: #VU28318
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-11048
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the way PHP handles long filenames or field names during file upload. A remote attacker can supply an overly long filename to the application that will lead PHP engine to try to allocate oversized memory storage, hit the memory limit and stop processing the request, without cleaning up temporary files created by upload request. This will lead to accumulation of uncleaned temporary files exhausting the disk space on the target server.
MitigationInstall update from vendor's website.
Vulnerable software versionsphp7 (Alpine package): 7.2.5-r0 - 7.2.27-r0
External linkshttp://git.alpinelinux.org/aports/commit/?id=04fa411a1b511be35d5189ccb24cd445be042688
http://git.alpinelinux.org/aports/commit/?id=88b6599af086a66070987236b518ccb5d5247aae
http://git.alpinelinux.org/aports/commit/?id=126f2868cb8f15a33a8be6ce1d861b78a9da5248
http://git.alpinelinux.org/aports/commit/?id=4ab6ec338e73a646eba32e1773417a2a8f9b7283
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
