Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
CVE-2019-9021
CVE information
Published
Last Modified
CVSSv2.0 Severity
CVSSv3.1 Severity
Impact Analysis
Description
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file name, a different vulnerability than CVE-2018-20783. This is related to phar_detect_phar_fname_ext in ext/phar/phar.c..
CVSSv2.0 Score
- Severity
- High
- Base Score
- 7.5/10
- Exploit Score
- 10/10
- Access Vector
- Network
- Access Complexity
- Low
- Authentication Required
- None
- Impact Score
- 6.4/10
- Confidentiality Impact
- Partial
- Availability Impact
- Partial
- Integrity Impact
- Partial
CVSSv3.1 Score
- Severity
- Critical
- Base Score
- 9.8/10
- Exploit Score
- 3.9/10
- Access Vector
- Network
- Access Complexity
- Low
- Privileges Required
- None
- Impact Score
- 5.9/10
- Confidentiality Impact
- High
- Availability Impact
- High
- Integrity Impact
- High
- Scope
- Unchanged
- User Interaction
- None
Products Affected
CPE | Affected | Vulnerable | Excluding | Edit |
---|---|---|---|---|
cpe:2.3:a:php:php:*:*:*:*:*:*:*:* |
Yes
|
7.2.0 | 7.2.14 | |
cpe:2.3:a:php:php:*:*:*:*:*:*:*:* |
Yes
|
7.0.0 | 7.1.26 | |
cpe:2.3:a:php:php:*:*:*:*:*:*:*:* |
Yes
|
- | 5.6.40 | |
cpe:2.3:a:php:php:*:*:*:*:*:*:*:* |
Yes
|
7.3.0 | 7.3.1 | |
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:* |
Yes
|
- | - | |
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:* |
Yes
|
- | - | |
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:netapp:storage_automation_store:-:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:* |
Yes
|
- | - |
References
- https://bugs.php.net/bug.php?id=77247
- http://www.securityfocus.com/bid/107156
- http://www.securityfocus.com/bid/106747
- https://www.debian.org/security/2019/dsa-4398
- https://usn.ubuntu.com/3902-1/
- https://usn.ubuntu.com/3902-2/
- https://security.netapp.com/advisory/ntap-20190321-0001/
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00083.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00104.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html
- https://access.redhat.com/errata/RHSA-2019:2519
- https://access.redhat.com/errata/RHSA-2019:3299