CVE-2018-10545

Name
CVE-2018-10545
Description
An issue was discovered in PHP before 5.6.35, 7.0.x before 7.0.29, 7.1.x before 7.1.16, and 7.2.x before 7.2.4. Dumpable FPM child processes allow bypassing opcache access controls because fpm_unix.c makes a PR_SET_DUMPABLE prctl call, allowing one user (in a multiuser environment) to obtain sensitive information from the process memory of a second user's PHP applications by running gcore on the PID of the PHP-FPM worker process.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Issue Tracking https://bugs.php.net/bug.php?id=75605
Patch http://php.net/ChangeLog-7.php
Patch http://php.net/ChangeLog-5.php
Third Party Advisory http://www.securityfocus.com/bid/104022
Mailing List https://lists.debian.org/debian-lts-announce/2018/05/msg00004.html
Third Party Advisory https://usn.ubuntu.com/3646-1/
Third Party Advisory https://usn.ubuntu.com/3646-2/
Third Party Advisory https://security.netapp.com/advisory/ntap-20180607-0003/
Mailing List https://lists.debian.org/debian-lts-announce/2018/06/msg00005.html
Third Party Advisory https://www.debian.org/security/2018/dsa-4240
Third Party Advisory https://www.tenable.com/security/tns-2018-12
Third Party Advisory https://security.gentoo.org/glsa/201812-01
REDHAT https://access.redhat.com/errata/RHSA-2019:2519

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:php:php:*:*:*:*:*:*:*:* php >= 7.1.0 < 7.1.16
cpe:2.3:a:php:php:*:*:*:*:*:*:*:* php >= 7.0.0 < 7.0.29
cpe:2.3:a:php:php:*:*:*:*:*:*:*:* php >= None < 5.6.35
cpe:2.3:a:php:php:*:*:*:*:*:*:*:* php >= 7.2.0 < 7.2.4

Vulnerable and fixed packages

Source package Branch Version Maintainer Status