CVE-2019-11045: DirectoryIterator class silently truncates after a null byte
First published: Tue Dec 17 2019(Updated: )
A vulnerability was found in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access. Reference: <a href="https://bugs.php.net/bug.php?id=78863">https://bugs.php.net/bug.php?id=78863</a>
Credit: security@php.net security@php.net
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/rh-php73-php | <0:7.3.20-1.el7 | 0:7.3.20-1.el7 |
| PHP PHP | >=7.2.0<=7.2.26 | |
| PHP PHP | >=7.3.0<=7.3.13 | |
| PHP PHP | =7.4.0 | |
| Fedoraproject Fedora | =30 | |
| Fedoraproject Fedora | =31 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| openSUSE Leap | =15.1 | |
| Canonical Ubuntu Linux | =12.04 | |
| Canonical Ubuntu Linux | =14.04 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =19.04 | |
| Canonical Ubuntu Linux | =19.10 | |
| Tenable SecurityCenter | <5.19.0 | |
| PHP PHP | <7.2.26 | 7.2.26 |
| debian/php5 | ||
| debian/php7.0 | ||
| debian/php7.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2019-11045 https://nvd.nist.gov/vuln/detail/CVE-2019-11045
- https://bugzilla.redhat.com/show_bug.cgi?id=1786572
- https://access.redhat.com/errata/RHSA-2020:3662
- https://access.redhat.com/errata/RHSA-2020:5275
- https://access.redhat.com/security/cve/cve-2019-11045
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00036.html
- https://bugs.php.net/bug.php?id=78863
- https://lists.debian.org/debian-lts-announce/2019/12/msg00034.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7GCOAE6KVHYJ3UQ4KLPLTGSLX6IRVRN/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWRQPYXVG43Q7DXMXH6UVWMKWGUW552F/
- https://seclists.org/bugtraq/2020/Feb/27
- https://seclists.org/bugtraq/2020/Feb/31
- https://seclists.org/bugtraq/2021/Jan/3
- https://security.netapp.com/advisory/ntap-20200103-0002/
- https://usn.ubuntu.com/4239-1/
- https://www.debian.org/security/2020/dsa-4626
- https://www.debian.org/security/2020/dsa-4628
- https://www.tenable.com/security/tns-2021-14
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1786573
- http://git.php.net/?p=php-src.git;a=commit;h=a5a15965da23c8e97657278fc8dfbf1dfb20c016
- https://www.php.net/ChangeLog-7.php#7.2.26 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N7GCOAE6KVHYJ3UQ4KLPLTGSLX6IRVRN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWRQPYXVG43Q7DXMXH6UVWMKWGUW552F/
- https://launchpad.net/bugs/cve/CVE-2019-11045
- https://bugs.php.net/78863
- https://git.php.net/?p=php-src.git;a=patch;h=d74907b8575e6edb83b728c2a94df434c23e1f79
- https://security-tracker.debian.org/tracker/CVE-2019-11045
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11045
- https://nvd.nist.gov/vuln/detail/CVE-2019-11045
- https://ubuntu.com/security/CVE-2019-11045
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2019-11045.
What is the severity of CVE-2019-11045?
The severity of CVE-2019-11045 is medium with a CVSS score of 5.9.
Which PHP versions are affected by CVE-2019-11045?
PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13, and 7.4.0 are affected by CVE-2019-11045.
What is the impact of CVE-2019-11045?
CVE-2019-11045 could lead to security vulnerabilities in applications checking paths that the code is allowed to access.
How can I fix CVE-2019-11045?
To fix CVE-2019-11045, update PHP to version 7.2.26, 7.3.13, or 7.4.1 or later.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-11045
- agent/weakness
- collector/php-changelog
- source/PHP
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/severity
- agent/first-publish-date
- agent/references
- agent/remedy
- agent/description
- collector/launchpad-cve
- source/Launchpad
- collector/security-tracker-debian
- source/Debian
- collector/nvd-cve
- source/NVD
- agent/author
- agent/tags
- agent/softwarecombine
- agent/event
- collector/usn-cve
- source/Ubuntu
- package-manager/redhat
- vendor/php
- canonical/php php
- version/php php/7.2.0
- version/php php/7.2.26
- version/php php/7.3.0
- version/php php/7.3.13
- version/php php/7.4.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/30
- version/fedoraproject fedora/31
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.1
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/12.04
- version/canonical ubuntu linux/14.04
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/19.04
- version/canonical ubuntu linux/19.10
- vendor/tenable
- canonical/tenable securitycenter
- package-manager/debian