CVE-2019-11049

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2019-11049
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-11049.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2019-11049
Downstream
Related
Published
2019-12-23T03:15:11.897Z
Modified
2026-04-11T12:10:13.918457Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is supplied in lowercase, this can result in double-freeing certain memory locations.

Database specific 
{
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "fixed": "5.19.0"
                }
            ],
            "source": "CPE_FIELD",
            "cpe": "cpe:2.3:a:tenable:securitycenter:*:*:*:*:*:*:*:*"
        },
        {
            "extracted_events": [
                {
                    "last_affected": "10.0"
                }
            ],
            "source": "CPE_FIELD",
            "cpe": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"
        },
        {
            "extracted_events": [
                {
                    "last_affected": "30"
                }
            ],
            "source": "CPE_FIELD",
            "cpe": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*"
        },
        {
            "extracted_events": [
                {
                    "last_affected": "31"
                }
            ],
            "source": "CPE_FIELD",
            "cpe": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*"
        }
    ]
}
References

Affected packages

Git / github.com/php/php-src

Affected ranges

Type
GIT
Repo
https://github.com/php/php-src
Events
Introduced
52ace952a1b65ca80fc2617f11c2fa6dd03f51bd
Last affected
a1457cf8b8b82516bf9561eb43972b63074fa9ae
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
3c7824e16ec4c3cee417262445d2c2b66531c10f
Database specific 
{
    "extracted_events": [
        {
            "introduced": "7.3.0"
        },
        {
            "last_affected": "7.3.13"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "7.4.0"
        }
    ],
    "source": "CPE_FIELD",
    "cpe": [
        "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:php:php:7.4.0:*:*:*:*:*:*:*"
    ]
}

Affected versions

Other
POST_64BIT_BRANCH_MERGE
POST_AST_MERGE
POST_PHP7_NSAPI_REMOVAL
POST_PHP7_REMOVALS
POST_PHPNG_MERGE
PRE_64BIT_BRANCH_MERGE
PRE_AST_MERGE
PRE_PHP7_EREG_MYSQL_REMOVALS
PRE_PHP7_NSAPI_REMOVAL
PRE_PHP7_REMOVALS
php-7.*
php-7.3.13
php-7.3.13RC1
php-7.4.0

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-11049.json"