CVE-2019-11045
LOWPHP 7.2.0-7.2.25, 7.3.0-7.3.12, 7.4.0 - Improper Null Termination in DirectoryIterator
Title source: llmDescription
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.
References (13)
Core 13
Core References
Exploit, Mailing List, Patch, Vendor Advisory x_refsource_misc
https://bugs.php.net/bug.php?id=78863
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/12/msg00034.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20200103-0002/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N7GCOAE6KVHYJ3UQ4KLPLTGSLX6IRVRN/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWRQPYXVG43Q7DXMXH6UVWMKWGUW552F/
Third Party Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/4239-1/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00036.html
Mailing List, Third Party Advisory mailing-list
x_refsource_bugtraq
https://seclists.org/bugtraq/2020/Feb/27
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2020/dsa-4626
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2020/dsa-4628
Mailing List, Third Party Advisory mailing-list
x_refsource_bugtraq
https://seclists.org/bugtraq/2020/Feb/31
Mailing List, Third Party Advisory mailing-list
x_refsource_bugtraq
https://seclists.org/bugtraq/2021/Jan/3
Third Party Advisory x_refsource_confirm
https://www.tenable.com/security/tns-2021-14
Scores
CVSS v3
3.7
EPSS
0.4148
EPSS Percentile
97.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-170
CWE-74
Status
published
Products (15)
canonical/ubuntu_linux
12.04
canonical/ubuntu_linux
14.04
canonical/ubuntu_linux
16.04
canonical/ubuntu_linux
18.04
canonical/ubuntu_linux
19.04
canonical/ubuntu_linux
19.10
debian/debian_linux
8.0
debian/debian_linux
9.0
debian/debian_linux
10.0
fedoraproject/fedora
30
... and 5 more
Published
Dec 23, 2019
Tracked Since
Feb 18, 2026