CVE-2019-11048

CVE-2019-11048

Name

CVE-2019-11048

Description

In PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18 and 7.4.x below 7.4.6, when HTTP file uploads are allowed, supplying overly long filenames or field names could lead PHP engine to try to allocate oversized memory storage, hit the memory limit and stop processing the request, without cleaning up temporary files created by upload request. This potentially could lead to accumulation of uncleaned temporary files exhausting the disk space on the target server.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Exploit	https://bugs.php.net/bug.php?id=78876
Exploit	https://bugs.php.net/bug.php?id=78875
FEDORA	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OBA3TFZSP3TB5N4G24SO6BI64RJZXE3D/
FEDORA	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMDUQ7XFONY3BWTAQQUD3QUGZT6NFZUF/
CONFIRM	https://security.netapp.com/advisory/ntap-20200528-0006/
UBUNTU	https://usn.ubuntu.com/4375-1/
SUSE	http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00045.html
MLIST	https://lists.debian.org/debian-lts-announce/2020/06/msg00033.html
DEBIAN	https://www.debian.org/security/2020/dsa-4717
DEBIAN	https://www.debian.org/security/2020/dsa-4719
MISC	https://www.oracle.com/security-alerts/cpuoct2020.html
MISC	https://www.oracle.com/security-alerts/cpuApr2021.html
CONFIRM	https://www.tenable.com/security/tns-2021-14

Type

URI

Exploit

https://bugs.php.net/bug.php?id=78876

Exploit

https://bugs.php.net/bug.php?id=78875

FEDORA

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OBA3TFZSP3TB5N4G24SO6BI64RJZXE3D/

FEDORA

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMDUQ7XFONY3BWTAQQUD3QUGZT6NFZUF/

CONFIRM

https://security.netapp.com/advisory/ntap-20200528-0006/

UBUNTU

https://usn.ubuntu.com/4375-1/

SUSE

http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00045.html

MLIST

https://lists.debian.org/debian-lts-announce/2020/06/msg00033.html

DEBIAN

https://www.debian.org/security/2020/dsa-4717

DEBIAN

https://www.debian.org/security/2020/dsa-4719

MISC

https://www.oracle.com/security-alerts/cpuoct2020.html

MISC

https://www.oracle.com/security-alerts/cpuApr2021.html

CONFIRM

https://www.tenable.com/security/tns-2021-14

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:php:php::::::::`	php	>= 7.2.0	< 7.2.31
`cpe:2.3:a:php:php::::::::`	php	>= 7.3.0	< 7.3.18
`cpe:2.3:a:php:php::::::::`	php	>= 7.4.0	< 7.4.6

CPE URI

Source package

Min version

Max version

cpe:2.3:a:php:php:*:*:*:*:*:*:*:*

php

>= 7.2.0

< 7.2.31

cpe:2.3:a:php:php:*:*:*:*:*:*:*:*

php

>= 7.3.0

< 7.3.18

cpe:2.3:a:php:php:*:*:*:*:*:*:*:*

php

>= 7.4.0

< 7.4.6

Source package	Branch	Version	Maintainer	Status
php7	edge-community	7.3.18-r0	None	fixed

Source package

Branch

Version

Maintainer

Status

php7

edge-community

7.3.18-r0

None

fixed

References

Match rules

Vulnerable and fixed packages