CVE-2019-11048

In PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18 and 7.4.x below 7.4.6, when HTTP file uploads are allowed, supplying overly long filenames or field names could lead PHP engine to try to allocate oversized memory storage, hit the memory limit and stop processing the request, without cleaning up temporary files created by upload request. This potentially could lead to accumulation of uncleaned temporary files exhausting the disk space on the target server.

CVSS v3 5.3 MEDIUM
CVSS v2.0 5.0 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:N/A:P

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00045.html
https://bugs.php.net/bug.php?id=78875	Exploit Issue Tracking Vendor Advisory
https://bugs.php.net/bug.php?id=78876	Exploit Issue Tracking Vendor Advisory
https://lists.debian.org/debian-lts-announce/2020/06/msg00033.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OBA3TFZSP3TB5N4G24SO6BI64RJZXE3D/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XMDUQ7XFONY3BWTAQQUD3QUGZT6NFZUF/
https://security.netapp.com/advisory/ntap-20200528-0006/
https://usn.ubuntu.com/4375-1/
https://www.debian.org/security/2020/dsa-4717
https://www.debian.org/security/2020/dsa-4719
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.tenable.com/security/tns-2021-14
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00045.html
https://bugs.php.net/bug.php?id=78875	Exploit Issue Tracking Vendor Advisory
https://bugs.php.net/bug.php?id=78876	Exploit Issue Tracking Vendor Advisory
https://lists.debian.org/debian-lts-announce/2020/06/msg00033.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OBA3TFZSP3TB5N4G24SO6BI64RJZXE3D/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XMDUQ7XFONY3BWTAQQUD3QUGZT6NFZUF/
https://security.netapp.com/advisory/ntap-20200528-0006/
https://usn.ubuntu.com/4375-1/
https://www.debian.org/security/2020/dsa-4717
https://www.debian.org/security/2020/dsa-4719
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.tenable.com/security/tns-2021-14

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php::::::::

History

21 Nov 2024, 04:20

Type	Values Removed	Values Added
References	~~() http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00045.html -~~	() http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00045.html -
References	~~() https://bugs.php.net/bug.php?id=78875 - Exploit, Issue Tracking, Vendor Advisory~~	() https://bugs.php.net/bug.php?id=78875 - Exploit, Issue Tracking, Vendor Advisory
References	~~() https://bugs.php.net/bug.php?id=78876 - Exploit, Issue Tracking, Vendor Advisory~~	() https://bugs.php.net/bug.php?id=78876 - Exploit, Issue Tracking, Vendor Advisory
References	~~() https://lists.debian.org/debian-lts-announce/2020/06/msg00033.html -~~	() https://lists.debian.org/debian-lts-announce/2020/06/msg00033.html -
References	~~() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OBA3TFZSP3TB5N4G24SO6BI64RJZXE3D/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OBA3TFZSP3TB5N4G24SO6BI64RJZXE3D/ -
References	~~() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XMDUQ7XFONY3BWTAQQUD3QUGZT6NFZUF/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XMDUQ7XFONY3BWTAQQUD3QUGZT6NFZUF/ -
References	~~() https://security.netapp.com/advisory/ntap-20200528-0006/ -~~	() https://security.netapp.com/advisory/ntap-20200528-0006/ -
References	~~() https://usn.ubuntu.com/4375-1/ -~~	() https://usn.ubuntu.com/4375-1/ -
References	~~() https://www.debian.org/security/2020/dsa-4717 -~~	() https://www.debian.org/security/2020/dsa-4717 -
References	~~() https://www.debian.org/security/2020/dsa-4719 -~~	() https://www.debian.org/security/2020/dsa-4719 -
References	~~() https://www.oracle.com/security-alerts/cpuApr2021.html -~~	() https://www.oracle.com/security-alerts/cpuApr2021.html -
References	~~() https://www.oracle.com/security-alerts/cpuoct2020.html -~~	() https://www.oracle.com/security-alerts/cpuoct2020.html -
References	~~() https://www.tenable.com/security/tns-2021-14 -~~	() https://www.tenable.com/security/tns-2021-14 -

07 Nov 2023, 03:02

Type	Values Removed	Values Added
References	{'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OBA3TFZSP3TB5N4G24SO6BI64RJZXE3D/', 'name': 'FEDORA-2020-8838d072d5', 'tags': [], 'refsource': 'FEDORA'} {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMDUQ7XFONY3BWTAQQUD3QUGZT6NFZUF/', 'name': 'FEDORA-2020-9fa7f4e25c', 'tags': [], 'refsource': 'FEDORA'}	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XMDUQ7XFONY3BWTAQQUD3QUGZT6NFZUF/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OBA3TFZSP3TB5N4G24SO6BI64RJZXE3D/ -

Information

Published : 2020-05-20 08:15

Updated : 2024-11-21 04:20

NVD link : CVE-2019-11048

Mitre link : CVE-2019-11048

CVE.ORG link : CVE-2019-11048

JSON object : View

Products Affected

php

CWE

CWE-190

Integer Overflow or Wraparound

CWE-400

Uncontrolled Resource Consumption

5.3 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

JSON object

Attach tags to CVE-2019-11048

5.3^/10

5.0^/10

Attach tags to `CVE-2019-11048`