CVE-2019-11045
- Source
- https://cve.org/CVERecord?id=CVE-2019-11045
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-11045.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2019-11045
- Downstream
- Related
- Published
- 2019-12-23T03:15:11.630Z
- Modified
- 2026-04-11T12:10:13.915447Z
- Severity
-
- 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.
- Database specific
{ "unresolved_ranges": [ { "extracted_events": [ { "fixed": "5.19.0" } ], "source": "CPE_FIELD", "cpe": "cpe:2.3:a:tenable:securitycenter:*:*:*:*:*:*:*:*" }, { "extracted_events": [ { "last_affected": "12.04" } ], "source": "CPE_FIELD", "cpe": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*" }, { "extracted_events": [ { "last_affected": "14.04" } ], "source": "CPE_FIELD", "cpe": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*" }, { "extracted_events": [ { "last_affected": "16.04" } ], "source": "CPE_FIELD", "cpe": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*" }, { "extracted_events": [ { "last_affected": "18.04" } ], "source": "CPE_FIELD", "cpe": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*" }, { "extracted_events": [ { "last_affected": "19.04" } ], "source": "CPE_FIELD", "cpe": "cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*" }, { "extracted_events": [ { "last_affected": "19.10" } ], "source": "CPE_FIELD", "cpe": "cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*" }, { "extracted_events": [ { "last_affected": "10.0" } ], "source": "CPE_FIELD", "cpe": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*" }, { "extracted_events": [ { "last_affected": "9.0" } ], "source": "CPE_FIELD", "cpe": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*" }, { "extracted_events": [ { "last_affected": "30" } ], "source": "CPE_FIELD", "cpe": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*" }, { "extracted_events": [ { "last_affected": "31" } ], "source": "CPE_FIELD", "cpe": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*" }, { "extracted_events": [ { "last_affected": "15.1" } ], "source": "CPE_FIELD", "cpe": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*" } ] }- References
-
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N7GCOAE6KVHYJ3UQ4KLPLTGSLX6IRVRN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWRQPYXVG43Q7DXMXH6UVWMKWGUW552F/
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00036.html
- https://lists.debian.org/debian-lts-announce/2019/12/msg00034.html
- https://seclists.org/bugtraq/2020/Feb/27
- https://seclists.org/bugtraq/2020/Feb/31
- https://seclists.org/bugtraq/2021/Jan/3
- https://security.netapp.com/advisory/ntap-20200103-0002/
- https://usn.ubuntu.com/4239-1/
- https://www.debian.org/security/2020/dsa-4626
- https://www.debian.org/security/2020/dsa-4628
- https://www.tenable.com/security/tns-2021-14
- https://bugs.php.net/bug.php?id=78863
Affected packages
Git / github.com/php/php-src
Affected ranges
- Type
- GIT
- Repo
- https://github.com/php/php-src
- Events
-
IntroducedLast affectedIntroducedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedLast affected
- Database specific
{ "extracted_events": [ { "introduced": "7.2.0" }, { "last_affected": "7.2.26" }, { "introduced": "7.3.0" }, { "last_affected": "7.3.13" }, { "introduced": "0" }, { "last_affected": "7.4.0" }, { "last_affected": "8.0" } ], "source": "CPE_FIELD", "cpe": [ "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "cpe:2.3:a:php:php:7.4.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*" ] }
Affected versions
Other
POST_64BIT_BRANCH_MERGE
POST_AST_MERGE
POST_PHP7_NSAPI_REMOVAL
POST_PHP7_REMOVALS
POST_PHPNG_MERGE
PRE_64BIT_BRANCH_MERGE
PRE_AST_MERGE
PRE_PHP7_EREG_MYSQL_REMOVALS
PRE_PHP7_NSAPI_REMOVAL
PRE_PHP7_REMOVALS
php-7.*
php-7.2.26
php-7.3.13
php-7.3.13RC1
php-7.4.0
php-8.*
php-8.0.0