Unrated severityNVD Advisory· Published Dec 23, 2019· Updated Sep 16, 2024
DirectoryIterator class silently truncates after a null byte
CVE-2019-11045
Description
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
13- lists.opensuse.org/opensuse-security-announce/2020-01/msg00036.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N7GCOAE6KVHYJ3UQ4KLPLTGSLX6IRVRN/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWRQPYXVG43Q7DXMXH6UVWMKWGUW552F/mitrevendor-advisoryx_refsource_FEDORA
- usn.ubuntu.com/4239-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2020/dsa-4626mitrevendor-advisoryx_refsource_DEBIAN
- www.debian.org/security/2020/dsa-4628mitrevendor-advisoryx_refsource_DEBIAN
- bugs.php.net/bug.phpmitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2019/12/msg00034.htmlmitremailing-listx_refsource_MLIST
- seclists.org/bugtraq/2020/Feb/27mitremailing-listx_refsource_BUGTRAQ
- seclists.org/bugtraq/2020/Feb/31mitremailing-listx_refsource_BUGTRAQ
- seclists.org/bugtraq/2021/Jan/3mitremailing-listx_refsource_BUGTRAQ
- security.netapp.com/advisory/ntap-20200103-0002/mitrex_refsource_CONFIRM
- www.tenable.com/security/tns-2021-14mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.