SecPod SCAP Repo, a repository of SCAP Content (CVE, CCE, CPE, CWE, OVAL and XCCDF)

[Forgot Password]

Paid content will be excluded from the download.

Download | Alert*

CVE

CVE-2019-11043

Date: (C)2019-10-29 (M)2024-04-26

In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V3 Severity:		CVSS V2 Severity:
CVSS Score : 9.8		CVSS Score : 7.5
Exploit Score: 3.9		Exploit Score: 10.0
Impact Score: 5.9		Impact Score: 6.4

CVSS V3 Metrics:		CVSS V2 Metrics:
Attack Vector: NETWORK		Access Vector: NETWORK
Attack Complexity: LOW		Access Complexity: LOW
Privileges Required: NONE		Authentication: NONE
User Interaction: NONE		Confidentiality: PARTIAL
Scope: UNCHANGED		Integrity: PARTIAL
Confidentiality: HIGH		Availability: PARTIAL
Integrity: HIGH
Availability: HIGH

Reference:

https://seclists.org/bugtraq/2020/Jan/44

http://seclists.org/fulldisclosure/2020/Jan/40

FEDORA-2019-187ae3128d

FEDORA-2019-4adc49a476

FEDORA-2019-7bb07c3b02

http://packetstormsecurity.com/files/156642/PHP-FPM-7.x-Remote-Code-Execution.html

https://bugs.php.net/bug.php?id=78599

https://github.com/neex/phuip-fpizdam

https://security.netapp.com/advisory/ntap-20191031-0003/

https://support.apple.com/kb/HT210919

https://support.f5.com/csp/article/K75408500?utm_source=f5support&%3Butm_medium=RSS

https://www.synology.com/security/advisory/Synology_SA_19_36

https://www.tenable.com/security/tns-2021-14

openSUSE-SU-2019:2441

openSUSE-SU-2019:2457

cpe:/o:debian:debian_linux:9.0
cpe:/o:canonical:ubuntu_linux:12.04::~~esm~~~
cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
cpe:/a:php:php
...

oval:org.secpod.oval:def:2105272
oval:org.secpod.oval:def:604578
oval:org.secpod.oval:def:705255
oval:org.secpod.oval:def:1601073
...

© SecPod Technologies