Lucene search

[email protected]CVE-2019-11048

HistoryMay 20, 2020 - 8:15 a.m.

CVE-2019-11048

2020-05-2008:15:10

CWE-190

CWE-400

[email protected]

web.nvd.nist.gov

774

cve-2019-11048

php

http

file uploads

memory limit

temporary files

security vulnerability

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

AI Score

5.5

Confidence

High

EPSS

0.012

Percentile

85.1%

JSON

In PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18 and 7.4.x below 7.4.6, when HTTP file uploads are allowed, supplying overly long filenames or field names could lead PHP engine to try to allocate oversized memory storage, hit the memory limit and stop processing the request, without cleaning up temporary files created by upload request. This potentially could lead to accumulation of uncleaned temporary files exhausting the disk space on the target server.

Affected configurations

NVD

Node

phpphpRange7.2.0–7.2.31

phpphpRange7.3.0–7.3.18

phpphpRange7.4.0–7.4.6

CNA Affected

[
  {
    "product": "PHP",
    "vendor": "PHP Group",
    "versions": [
      {
        "lessThan": "7.3.18",
        "status": "affected",
        "version": "7.3.x",
        "versionType": "custom"
      },
      {
        "lessThan": "7.4.6",
        "status": "affected",
        "version": "7.4.x",
        "versionType": "custom"
      },
      {
        "lessThan": "7.2.31",
        "status": "affected",
        "version": "7.2.x",
        "versionType": "custom"
      }
    ]
  }
]