Input validation error in Fedoraproject products - CVE-2019-11045
Published: December 23, 2019 / Updated: August 4, 2020
Vulnerability identifier: #VU33363
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-11045
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: PHP Group
Debian
Fedoraproject
Debian
Fedoraproject
Affected software:
PHP
Debian Linux
Fedora
PHP
Debian Linux
Fedora
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded � byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.
How to mitigate CVE-2019-11045
Install update from vendor's website.
Sources
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00036.html
- https://bugs.php.net/bug.php?id=78863
- https://lists.debian.org/debian-lts-announce/2019/12/msg00034.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7GCOAE6KVHYJ3UQ4KLPLTGSLX6IRVRN/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWRQPYXVG43Q7DXMXH6UVWMKWGUW552F/
- https://seclists.org/bugtraq/2020/Feb/27
- https://seclists.org/bugtraq/2020/Feb/31
- https://security.netapp.com/advisory/ntap-20200103-0002/
- https://usn.ubuntu.com/4239-1/
- https://www.debian.org/security/2020/dsa-4626
- https://www.debian.org/security/2020/dsa-4628