In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.
lists.opensuse.org/opensuse-security-announce/2019-11/msg00011.html
lists.opensuse.org/opensuse-security-announce/2019-11/msg00014.html
packetstormsecurity.com/files/156642/PHP-FPM-7.x-Remote-Code-Execution.html
seclists.org/fulldisclosure/2020/Jan/40
access.redhat.com/errata/RHSA-2019:3286
access.redhat.com/errata/RHSA-2019:3287
access.redhat.com/errata/RHSA-2019:3299
access.redhat.com/errata/RHSA-2019:3300
access.redhat.com/errata/RHSA-2019:3724
access.redhat.com/errata/RHSA-2019:3735
access.redhat.com/errata/RHSA-2019:3736
access.redhat.com/errata/RHSA-2020:0322
bugs.php.net/bug.php?id=78599
github.com/neex/phuip-fpizdam
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3W23TP6X4H7LB645FYZLUPNIRD5W3EPU/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FSNBUSPKMLUHHOADROKNG5GDWDCRHT5M/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T62LF4ZWVV7OMMIZFO6IFO5QLZKK7YRD/
seclists.org/bugtraq/2020/Jan/44
security.netapp.com/advisory/ntap-20191031-0003/
support.apple.com/kb/HT210919
support.f5.com/csp/article/K75408500?utm_source=f5support&%3Butm_medium=RSS
usn.ubuntu.com/4166-1/
usn.ubuntu.com/4166-2/
www.debian.org/security/2019/dsa-4552
www.debian.org/security/2019/dsa-4553
www.synology.com/security/advisory/Synology_SA_19_36
www.tenable.com/security/tns-2021-14