CVE-2019-11043

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-11043

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-11043.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-11043

Related

ALSA-2019:3735
ALSA-2019:3736
DLA-1970-1
DSA-4552-1
DSA-4553-1
RLSA-2019:3735
RLSA-2019:3736
SUSE-SU-2019:2809-1
SUSE-SU-2019:2819-1
SUSE-SU-2019:2909-1
SUSE-SU-2020:0522-1
SUSE-SU-2022:4067-1
UBUNTU-CVE-2019-11043
USN-4166-1
USN-4166-2
openSUSE-SU-2019:2441-1
openSUSE-SU-2019:2457-1
openSUSE-SU-2024:11167-1
openSUSE-SU-2024:11169-1

Published

2019-10-28T15:15:13Z

Modified

2024-09-02T23:13:33Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.

References

http://packetstormsecurity.com/files/156642/PHP-FPM-7.x-Remote-Code-Execution.html
https://access.redhat.com/errata/RHSA-2019:3286
https://access.redhat.com/errata/RHSA-2019:3287
https://access.redhat.com/errata/RHSA-2019:3299
https://access.redhat.com/errata/RHSA-2019:3300
https://access.redhat.com/errata/RHSA-2019:3724
https://access.redhat.com/errata/RHSA-2019:3735
https://access.redhat.com/errata/RHSA-2019:3736
https://access.redhat.com/errata/RHSA-2020:0322
https://bugs.php.net/bug.php?id=78599
https://security.netapp.com/advisory/ntap-20191031-0003/
https://www.debian.org/security/2019/dsa-4552
https://www.debian.org/security/2019/dsa-4553
https://www.synology.com/security/advisory/Synology_SA_19_36
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00011.html
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00014.html
http://seclists.org/fulldisclosure/2020/Jan/40
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3W23TP6X4H7LB645FYZLUPNIRD5W3EPU/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FSNBUSPKMLUHHOADROKNG5GDWDCRHT5M/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T62LF4ZWVV7OMMIZFO6IFO5QLZKK7YRD/
https://seclists.org/bugtraq/2020/Jan/44
https://github.com/neex/phuip-fpizdam
https://support.apple.com/kb/HT210919
https://support.f5.com/csp/article/K75408500?utm_source=f5support&amp%3Butm_medium=RSS
https://usn.ubuntu.com/4166-1/
https://usn.ubuntu.com/4166-2/
https://www.tenable.com/security/tns-2021-14

Affected packages

Git / github.com/php/php-src

Affected ranges

Type: GIT
Repo: https://github.com/php/php-src
Events: Introduced

0221e9f827632942225586687a33cfd554860d5e

Fixed

326cd05dae2eb411d5fdacede8a4bfa7a0798182