CVE-2019-9020

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2019-9020
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-9020.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2019-9020
Downstream
Related
Published
2019-02-22T23:29:00.330Z
Modified
2026-04-11T12:23:55.593581Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpcdecode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xmlelemparsebuf in ext/xmlrpc/libxmlrpc/xml_element.c.

Database specific 
{
    "unresolved_ranges": [
        {
            "cpe": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*",
            "extracted_events": [
                {
                    "last_affected": "12.04"
                }
            ],
            "source": "CPE_FIELD"
        },
        {
            "cpe": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
            "extracted_events": [
                {
                    "last_affected": "14.04"
                }
            ],
            "source": "CPE_FIELD"
        },
        {
            "cpe": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
            "extracted_events": [
                {
                    "last_affected": "16.04"
                }
            ],
            "source": "CPE_FIELD"
        },
        {
            "cpe": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
            "extracted_events": [
                {
                    "last_affected": "9.0"
                }
            ],
            "source": "CPE_FIELD"
        },
        {
            "cpe": "cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*",
            "extracted_events": [
                {
                    "last_affected": "42.3"
                }
            ],
            "source": "CPE_FIELD"
        }
    ]
}
References

Affected packages

Git / github.com/php/php-src

Affected ranges

Type
GIT
Repo
https://github.com/php/php-src
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
4b8f72da5dfb201af4e82dee960261d8657e414f
Introduced
60fffd296abce5fc071f3c173c25a2696cf683c6
Fixed
b3ad2be890e86c69cdc661739c74b677b46a53cb
Introduced
8148cbb78841c8ec0759c0836e7f35dec799d300
Fixed
643a161a24e662fd2afa9bf3591b105f4881e93e
Introduced
52ace952a1b65ca80fc2617f11c2fa6dd03f51bd
Fixed
b51be55fe5488a090f6b12200987f4c7afe8cfd3
Database specific 
{
    "cpe": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.6.40"
        },
        {
            "introduced": "7.0.0"
        },
        {
            "fixed": "7.1.26"
        },
        {
            "introduced": "7.2.0"
        },
        {
            "fixed": "7.2.14"
        },
        {
            "introduced": "7.3.0"
        },
        {
            "fixed": "7.3.1"
        }
    ],
    "source": "CPE_FIELD"
}

Affected versions

Other
POST_64BIT_BRANCH_MERGE
POST_AST_MERGE
POST_PHP7_NSAPI_REMOVAL
POST_PHP7_REMOVALS
POST_PHPNG_MERGE
PRE_64BIT_BRANCH_MERGE
PRE_AST_MERGE
PRE_PHP7_EREG_MYSQL_REMOVALS
PRE_PHP7_NSAPI_REMOVAL
PRE_PHP7_REMOVALS
php-7.*
php-7.3.1RC1

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-9020.json"