CVE-2019-11043

critical
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.

References

https://github.com/neex/phuip-fpizdam

https://bugs.php.net/bug.php?id=78599

https://usn.ubuntu.com/4166-1/

https://usn.ubuntu.com/4166-2/

https://www.debian.org/security/2019/dsa-4553

https://www.debian.org/security/2019/dsa-4552

https://support.f5.com/csp/article/K75408500?utm_source=f5support&utm_medium=RSS

https://lists.fedoraproject.org/archives/list/[email protected]/message/T62LF4ZWVV7OMMIZFO6IFO5QLZKK7YRD/

https://security.netapp.com/advisory/ntap-20191031-0003/

https://access.redhat.com/errata/RHSA-2019:3287

https://access.redhat.com/errata/RHSA-2019:3286

https://access.redhat.com/errata/RHSA-2019:3299

https://access.redhat.com/errata/RHSA-2019:3300

https://lists.fedoraproject.org/archives/list/[email protected]/message/3W23TP6X4H7LB645FYZLUPNIRD5W3EPU/

https://lists.fedoraproject.org/archives/list/[email protected]/message/FSNBUSPKMLUHHOADROKNG5GDWDCRHT5M/

http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00011.html

https://access.redhat.com/errata/RHSA-2019:3724

https://access.redhat.com/errata/RHSA-2019:3735

https://access.redhat.com/errata/RHSA-2019:3736

https://www.synology.com/security/advisory/Synology_SA_19_36

http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00014.html

https://support.apple.com/kb/HT210919

https://seclists.org/bugtraq/2020/Jan/44

http://seclists.org/fulldisclosure/2020/Jan/40

https://access.redhat.com/errata/RHSA-2020:0322

http://packetstormsecurity.com/files/156642/PHP-FPM-7.x-Remote-Code-Execution.html

Details

Source: MITRE

Published: 2019-10-28

Updated: 2021-07-22

Type: CWE-787

Risk Information

CVSS v2

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 10

Severity: HIGH

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 3.9

Severity: CRITICAL

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:php:php:*:*:*:*:*:*:*:*

cpe:2.3:a:php:php:*:*:*:*:*:*:*:*

cpe:2.3:a:php:php:*:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Tenable Plugins

View all (54 total)

IDNameProductFamilySeverity
152986Tenable SecurityCenter < 5.19.0 Multiple Vulnerabilities (TNS-2021-14)NessusMisc.
high
151985Tenable.sc < 5.19.0 Multiple Vulnerabilities (TNS-2021-14) (deprecated)NessusMisc.
high
145689CentOS 8 : php:7.3 (CESA-2019:3736)NessusCentOS Local Security Checks
critical
145659CentOS 8 : php:7.2 (CESA-2019:3735)NessusCentOS Local Security Checks
critical
144531Virtuozzo 6 : php / php-bcmath / php-cli / php-common / php-dba / etc (VZLSA-2019-3287)NessusVirtuozzo Local Security Checks
critical
138155RHEL 7 : php (RHSA-2020:2835)NessusRed Hat Local Security Checks
critical
137966EulerOS Virtualization 3.0.6.0 : php (EulerOS-SA-2020-1747)NessusHuawei Local Security Checks
critical
136744PHP Remote Code Execution Vulnerability (CVE-2019-11043).NessusCGI abuses
critical
134323NewStart CGSL MAIN 4.05 : php Vulnerability (NS-SA-2020-0018)NessusNewStart CGSL Local Security Checks
critical
134199SUSE SLES12 Security Update : php5 (SUSE-SU-2020:0522-1)NessusSuSE Local Security Checks
critical
133531macOS 10.15.x < 10.15.3 / 10.14.x < 10.14.6 / 10.13.x < 10.13.6NessusMacOS X Local Security Checks
critical
133446RHEL 8 : php:7.2 (RHSA-2020:0322)NessusRed Hat Local Security Checks
critical
133087NewStart CGSL CORE 5.05 / MAIN 5.05 : php Vulnerability (NS-SA-2020-0001)NessusNewStart CGSL Local Security Checks
critical
132812EulerOS Virtualization for ARM 64 3.0.5.0 : php (EulerOS-SA-2020-1058)NessusHuawei Local Security Checks
critical
132184EulerOS 2.0 SP3 : php (EulerOS-SA-2019-2649)NessusHuawei Local Security Checks
critical
131820EulerOS 2.0 SP5 : php (EulerOS-SA-2019-2546)NessusHuawei Local Security Checks
critical
131732PHP 7.4.x < 7.4.0 Multiple Vulnerabilities.NessusCGI abuses
critical
131592EulerOS 2.0 SP2 : php (EulerOS-SA-2019-2438)NessusHuawei Local Security Checks
critical
131418NewStart CGSL CORE 5.04 / MAIN 5.04 : php Vulnerability (NS-SA-2019-0214)NessusNewStart CGSL Local Security Checks
critical
131361EulerOS 2.0 SP8 : php (EulerOS-SA-2019-2295)NessusHuawei Local Security Checks
critical
131271Oracle Linux 8 : php:7.3 (ELSA-2019-3736)NessusOracle Linux Local Security Checks
critical
131270Oracle Linux 8 : php:7.2 (ELSA-2019-3735)NessusOracle Linux Local Security Checks
critical
701235PHP < 7.1.33 / 7.2.x < 7.2.24 / 7.3.x < 7.3.11 Remote Code ExecutionNessus Network MonitorWeb Servers
high
130888openSUSE Security Update : php7 (openSUSE-2019-2457)NessusSuSE Local Security Checks
critical
130758Virtuozzo 7 : php / php-bcmath / php-cli / php-common / php-dba / etc (VZLSA-2019-3286)NessusVirtuozzo Local Security Checks
critical
130739RHEL 8 : php:7.3 (RHSA-2019:3736)NessusRed Hat Local Security Checks
critical
130738RHEL 8 : php:7.2 (RHSA-2019:3735)NessusRed Hat Local Security Checks
critical
130621SUSE SLES12 Security Update : php72 (SUSE-SU-2019:2909-1)NessusSuSE Local Security Checks
critical
130617FreeBSD : php -- env_path_info underflow in fpm_main.c can lead to RCE (6a7c2ab0-00dd-11ea-83ce-705a0f828759)NessusFreeBSD Local Security Checks
critical
130580openSUSE Security Update : php7 (openSUSE-2019-2441)NessusSuSE Local Security Checks
critical
130499Scientific Linux Security Update : php on SL6.x i386/x86_64 (20191031)NessusScientific Linux Local Security Checks
critical
130497Oracle Linux 6 : php (ELSA-2019-3287)NessusOracle Linux Local Security Checks
critical
130482Fedora 30 : php (2019-7bb07c3b02)NessusFedora Local Security Checks
critical
130476Fedora 29 : php (2019-187ae3128d)NessusFedora Local Security Checks
critical
130474CentOS 6 : php (CESA-2019:3287)NessusCentOS Local Security Checks
critical
130473CentOS 7 : php (CESA-2019:3286)NessusCentOS Local Security Checks
critical
130471Amazon Linux AMI : php71 / php72,php73,php56 (ALAS-2019-1315)NessusAmazon Linux Local Security Checks
critical
130470Amazon Linux 2 : php (ALAS-2019-1344)NessusAmazon Linux Local Security Checks
critical
130447Scientific Linux Security Update : php on SL7.x x86_64 (20191031)NessusScientific Linux Local Security Checks
critical
130446RHEL 6 : php (RHSA-2019:3287)NessusRed Hat Local Security Checks
critical
130445RHEL 7 : php (RHSA-2019:3286)NessusRed Hat Local Security Checks
critical
130442Oracle Linux 7 : php (ELSA-2019-3286)NessusOracle Linux Local Security Checks
critical
130421SUSE SLED15 / SLES15 Security Update : php7 (SUSE-SU-2019:2819-1)NessusSuSE Local Security Checks
critical
130411Fedora 31 : php (2019-4adc49a476)NessusFedora Local Security Checks
critical
98768PHP 7.1.x < 7.1.33 Remote Code Execution VulnerabilityWeb Application ScanningComponent Vulnerability
critical
98767PHP 7.2.x < 7.2.24 Remote Code Execution VulnerabilityWeb Application ScanningComponent Vulnerability
critical
98766PHP 7.3.x < 7.3.11 Remote Code Execution VulnerabilityWeb Application ScanningComponent Vulnerability
critical
130390SUSE SLES12 Security Update : php7 (SUSE-SU-2019:2809-1)NessusSuSE Local Security Checks
critical
130362Ubuntu 16.04 LTS / 18.04 LTS / 19.04 / 19.10 : PHP vulnerability (USN-4166-1)NessusUbuntu Local Security Checks
critical
130350Debian DSA-4553-1 : php7.3 - security updateNessusDebian Local Security Checks
critical
130349Debian DSA-4552-1 : php7.0 - security updateNessusDebian Local Security Checks
critical
130329GLSA-201910-01 : PHP: Arbitrary code executionNessusGentoo Local Security Checks
critical
130283Debian DLA-1970-1 : php5 security updateNessusDebian Local Security Checks
critical
130276PHP < 7.1.33 / 7.2.x < 7.2.24 / 7.3.x < 7.3.11 Remote Code Execution Vulnerability.NessusCGI abuses
critical