Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
Huawei EulerOS: Security Advisory for php (EulerOS-SA-2020-1747)
Information
Severity
Severity
Family
Family
CVSSv2 Base
CVSSv2 Base
CVSSv2 Vector
CVSSv2 Vector
Solution Type
Solution Type
Created
Created
Modified
Modified
Summary
The remote host is missing an update for the Huawei EulerOS 'php' package(s) announced via the EulerOS-SA-2020-1747 advisory.
Insight
Insight
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.(CVE-2019-11042) When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.(CVE-2019-11041) An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file.(CVE-2018-5712) gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1, has an integer signedness error that leads to an infinite loop via a crafted GIF file, as demonstrated by a call to the imagecreatefromgif or imagecreatefromstring PHP function. This is related to GetCode_ and gdImageCreateFromGifCtx.(CVE-2018-5711) The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a 'Transfer-Encoding: chunked' request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c.(CVE-2018-17082) exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG file.(CVE-2018-14851) An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-5712.(CVE-2018-10547) An issue was discovered in PHP before 5.6.35, 7.0.x before 7.0.29, 7.1.x before 7.1.16, and 7.2.x before 7.2.4. Dumpable FPM child processes allow bypassing opcache access controls because fpm_unix.c makes a PR_SET_DUMPABLE prctl call, allowing one user (in a multiuser environment) to obtain sensitive information from the process memory of a second user's PHP applications by running gcore on the PID of the ... Description truncated. Please see the references for more information.
Affected Software
Affected Software
'php' package(s) on Huawei EulerOS Virtualization 3.0.6.0.
Detection Method
Detection Method
Checks if a vulnerable package version is present on the target host.
Solution
Solution
Please install the updated package(s).
Common Vulnerabilities and Exposures (CVE)
- CVE-2011-4718
- CVE-2014-9767
- CVE-2014-9912
- CVE-2015-4116
- CVE-2015-6831
- CVE-2015-6832
- CVE-2015-6833
- CVE-2015-7803
- CVE-2015-7804
- CVE-2015-8866
- CVE-2015-8867
- CVE-2015-8874
- CVE-2015-8879
- CVE-2015-8935
- CVE-2016-10158
- CVE-2016-10159
- CVE-2016-10161
- CVE-2016-10397
- CVE-2016-2554
- CVE-2016-3141
- CVE-2016-3142
- CVE-2016-3185
- CVE-2016-4070
- CVE-2016-4073
- CVE-2016-4539
- CVE-2016-4540
- CVE-2016-4542
- CVE-2016-5093
- CVE-2016-5094
- CVE-2016-5772
- CVE-2016-6288
- CVE-2016-6291
- CVE-2016-6292
- CVE-2016-6294
- CVE-2016-7124
- CVE-2016-7125
- CVE-2016-7128
- CVE-2016-7412
- CVE-2016-7414
- CVE-2016-7418
- CVE-2016-9934
- CVE-2016-9935
- CVE-2017-11143
- CVE-2017-11144
- CVE-2017-11145
- CVE-2017-11147
- CVE-2017-11628
- CVE-2017-12933
- CVE-2017-16642
- CVE-2017-7272
- CVE-2017-9226
- CVE-2018-10545
- CVE-2018-10547
- CVE-2018-14851
- CVE-2018-17082
- CVE-2018-5711
- CVE-2018-5712
- CVE-2019-11041
- CVE-2019-11042
- CVE-2019-11043
- CVE-2019-11047
- CVE-2019-11050
- CVE-2019-19204
- CVE-2019-19246
- CVE-2019-9641