First published: Wed Dec 05 2018(Updated: )
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc/xml_element.c.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/rh-php71-php | <0:7.1.30-1.el7 | 0:7.1.30-1.el7 |
redhat/rh-php72-php | <0:7.2.24-1.el7 | 0:7.2.24-1.el7 |
PHP PHP | <5.6.40 | |
PHP PHP | >=7.0.0<7.1.26 | |
PHP PHP | >=7.2.0<7.2.14 | |
PHP PHP | >=7.3.0<7.3.1 | |
Debian Debian Linux | =9.0 | |
Canonical Ubuntu Linux | =12.04 | |
Canonical Ubuntu Linux | =14.04 | |
Canonical Ubuntu Linux | =16.04 | |
Netapp Storage Automation Store | ||
openSUSE Leap | =42.3 | |
PHP PHP | <7.1.26 | 7.1.26 |
redhat/php | <5.6.40 | 5.6.40 |
redhat/php | <7.1.26 | 7.1.26 |
redhat/php | <7.2.14 | 7.2.14 |
redhat/php | <7.3.1 | 7.3.1 |
debian/php5 | ||
debian/php7.0 | ||
debian/php7.3 | ||
<5.6.40 | ||
>=7.0.0<7.1.26 | ||
>=7.2.0<7.2.14 | ||
>=7.3.0<7.3.1 | ||
=9.0 | ||
=12.04 | ||
=14.04 | ||
=16.04 | ||
=42.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
The vulnerability ID is CVE-2019-9020.
The severity of CVE-2019-9020 is critical with a severity value of 9.8.
PHP versions before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1 are affected.
The possible remedies for CVE-2019-9020 include updating PHP to version 5.6.40, 7.1.26, 7.2.14, or 7.3.1.
You can find more information about CVE-2019-9020 in the following references: [Reference 1](https://www.php.net/ChangeLog-7.php#7.1.26), [Reference 2](https://bugs.php.net/bug.php?id=77242), [Reference 3](https://bugs.php.net/bug.php?id=77249).