CVE-2019-9637

HIGH

PHP <7.1.27-7.2.16-7.3.3 - Info Disclosure

Title source: llm

Description

An issue was discovered in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. Due to the way rename() across filesystems is implemented, it is possible that file being renamed is briefly available with wrong permissions while the rename is ongoing, thus enabling unauthorized users to access the data.

References (15)

Core 15

Core References

Third Party Advisory vendor-advisory x_refsource_debian

https://www.debian.org/security/2019/dsa-4403

Issue Tracking, Patch, Vendor Advisory x_refsource_misc

https://bugs.php.net/bug.php?id=77630

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/3922-1/

Third Party Advisory x_refsource_confirm

https://support.f5.com/csp/article/K53825211

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2019/03/msg00043.html

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/3922-2/

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/3922-3/

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00104.html

Third Party Advisory x_refsource_confirm

https://security.netapp.com/advisory/ntap-20190502-0007/

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00012.html

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:2519

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:3299

Third Party Advisory x_refsource_confirm

https://www.tenable.com/security/tns-2019-07

Scores

CVSS v3 7.5

EPSS 0.0987

EPSS Percentile 93.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-264

Status published

Products (10)

canonical/ubuntu_linux 12.04

canonical/ubuntu_linux 14.04

canonical/ubuntu_linux 16.04

canonical/ubuntu_linux 18.04

canonical/ubuntu_linux 18.10

debian/debian_linux 8.0

debian/debian_linux 9.0

netapp/storage_automation_store

opensuse/leap 42.3

php/php < 7.1.27

Published Mar 09, 2019

Tracked Since Feb 18, 2026