CVE-2019-11043 Information

Share on:
Feb 14, 2021 cve

Description

In PHP versions 7.1.x below 7.1.33 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data thus opening the possibility of remote code execution.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00014.html http://packetstormsecurity.com/files/156642/PHP-FPM-7.x-Remote-Code-Execution.html http://seclists.org/fulldisclosure/2020/Jan/40 https://access.redhat.com/errata/RHSA-2019:3286 https://access.redhat.com/errata/RHSA-2019:3287 https://access.redhat.com/errata/RHSA-2019:3299 https://access.redhat.com/errata/RHSA-2019:3300 https://access.redhat.com/errata/RHSA-2019:3724 https://access.redhat.com/errata/RHSA-2019:3735 https://access.redhat.com/errata/RHSA-2019:3736 https://access.redhat.com/errata/RHSA-2020:0322 https://bugs.php.net/bug.php?id=78599 https://github.com/neex/phuip-fpizdam https://lists.fedoraproject.org/archives/list/[email protected]/message/3W23TP6X4H7LB645FYZLUPNIRD5W3EPU/ https://lists.fedoraproject.org/archives/list/[email protected]/message/FSNBUSPKMLUHHOADROKNG5GDWDCRHT5M/ https://lists.fedoraproject.org/archives/list/[email protected]/message/T62LF4ZWVV7OMMIZFO6IFO5QLZKK7YRD/ https://seclists.org/bugtraq/2020/Jan/44 https://security.netapp.com/advisory/ntap-20191031-0003/ https://support.apple.com/kb/HT210919 https://support.f5.com/csp/article/K75408500?utm_source=f5support&utm_medium=RSS https://usn.ubuntu.com/4166-1/ https://usn.ubuntu.com/4166-2/ https://www.debian.org/security/2019/dsa-4552 https://www.debian.org/security/2019/dsa-4553 https://www.synology.com/security/advisory/Synology_SA_19_36

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8