CVE-2019-11045 : In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryI

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.

Published 2019-12-23 03:15:12

Updated 2022-12-20 21:38:15

Source PHP Group

View at NVD, CVE.org

Products affected by CVE-2019-11045

Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
PHP » PHP
Versions from including (>=) 7.3.0 and up to, including, (<=) 7.3.13
cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
Matching versions
PHP » PHP
Versions from including (>=) 7.2.0 and up to, including, (<=) 7.2.26
cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 7.4.0
cpe:2.3:a:php:php:7.4.0:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 12.04
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 14.04 ESM Edition
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 18.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 19.10
cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 19.04
cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 16.04 ESM Edition
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 31
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 30
cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
Matching versions
Opensuse » Leap » Version: 15.1
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
Matching versions
Tenable » Securitycenter
Versions before (<) 5.19.0
cpe:2.3:a:tenable:securitycenter:*:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2019-11045

Top countries where our scanners detected CVE-2019-11045

Top open port discovered on systems with this issue 80

IPs affected by CVE-2019-11045 167,515

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2019-11045!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2019-11045

EPSS FAQ

0.20%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 58 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-11045

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
5.9	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N	2.2	3.6	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None
3.7	LOW	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N	2.2	1.4	PHP Group
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None

CWE ids for CVE-2019-11045

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Assigned by: nvd@nist.gov (Primary)
CWE-170 Improper Null Termination

The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.

Assigned by: security@php.net (Secondary)

References for CVE-2019-11045

https://www.tenable.com/security/tns-2021-14

[R1] Tenable.sc 5.19.0 Fixes Multiple Third-party Vulnerabilities - Security Advisory | Tenable®
Third Party Advisory

CVEs referencing this url
https://seclists.org/bugtraq/2020/Feb/27

Bugtraq: [SECURITY] [DSA 4626-1] php7.3 security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://www.debian.org/security/2020/dsa-4626

Debian -- Security Information -- DSA-4626-1 php7.3
Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00036.html

[security-announce] openSUSE-SU-2020:0080-1: moderate: Security update f
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWRQPYXVG43Q7DXMXH6UVWMKWGUW552F/

[SECURITY] Fedora 31 Update: php-7.3.13-1.fc31 - package-announce - Fedora Mailing-Lists
Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20200103-0002/

December 2019 PHP Vulnerabilities in NetApp Products | NetApp Product Security
Third Party Advisory

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2019/12/msg00034.html

[SECURITY] [DLA 2050-1] php5 security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://usn.ubuntu.com/4239-1/

USN-4239-1: PHP vulnerabilities | Ubuntu security notices
Third Party Advisory

CVEs referencing this url
https://bugs.php.net/bug.php?id=78863

PHP :: Sec Bug #78863 :: DirectoryIterator class silently truncates after a null byte
Exploit;Mailing List;Patch;Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7GCOAE6KVHYJ3UQ4KLPLTGSLX6IRVRN/

[SECURITY] Fedora 30 Update: php-7.3.13-1.fc30 - package-announce - Fedora Mailing-Lists
Third Party Advisory

CVEs referencing this url
https://www.debian.org/security/2020/dsa-4628

Debian -- Security Information -- DSA-4628-1 php7.0
Third Party Advisory

CVEs referencing this url
https://seclists.org/bugtraq/2020/Feb/31

Bugtraq: [SECURITY] [DSA 4628-1] php7.0 security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://seclists.org/bugtraq/2021/Jan/3

Mailing List;Third Party Advisory

CVEs referencing this url