Vulnerability identifier: #VU33363
Vulnerability risk: Medium
CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-20
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
PHP
Universal components / Libraries /
Scripting languages
Debian Linux
Operating systems & Components /
Operating system
Fedora
Operating systems & Components /
Operating system
Vendor:
PHP Group
Debian
Fedoraproject
Description
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.
Mitigation
Install update from vendor's website.
Vulnerable software versions
PHP: 7.4.0
Debian Linux: 7.4.0 - 8.0
Fedora: 7.4.0 - 31
External links
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00036.html
http://bugs.php.net/bug.php?id=78863
http://lists.debian.org/debian-lts-announce/2019/12/msg00034.html
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7GCOAE6KVHYJ3UQ4KLPLTGSLX6IRVRN/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWRQPYXVG43Q7DXMXH6UVWMKWGUW552F/
http://seclists.org/bugtraq/2020/Feb/27
http://seclists.org/bugtraq/2020/Feb/31
http://security.netapp.com/advisory/ntap-20200103-0002/
http://usn.ubuntu.com/4239-1/
http://www.debian.org/security/2020/dsa-4626
http://www.debian.org/security/2020/dsa-4628
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.