Description
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 on Windows, PHP link() function accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.
References (5)
Core 5
Core References
Exploit, Mailing List, Patch, Vendor Advisory x_refsource_misc
https://bugs.php.net/bug.php?id=78862
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20200103-0002/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N7GCOAE6KVHYJ3UQ4KLPLTGSLX6IRVRN/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWRQPYXVG43Q7DXMXH6UVWMKWGUW552F/
Third Party Advisory x_refsource_confirm
https://www.tenable.com/security/tns-2021-14
Scores
CVSS v3
3.7
EPSS
0.0802
EPSS Percentile
92.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-170
Status
published
Products (5)
fedoraproject/fedora
30
fedoraproject/fedora
31
php/php
7.4.0
php/php
7.2.0 - 7.2.26
tenable/securitycenter
< 5.19.0
Published
Dec 23, 2019
Tracked Since
Feb 18, 2026