Home > Vulnerability Database > CVE-2019-11043

Mend.io Vulnerability Database

CVE-2019-11043

Good to know:

Date: October 28, 2019

In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.

Language: PHP

Severity Score

8.7

Related Resources (30)

Url: https://usn.ubuntu.com/4166-2/

Url: https://access.redhat.com/errata/RHSA-2019:3299

Url: http://seclists.org/fulldisclosure/2020/Jan/40

Url: http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00014.html

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3W23TP6X4H7LB645FYZLUPNIRD5W3EPU/

Url: http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00011.html

Url: https://seclists.org/bugtraq/2020/Jan/44

Url: http://packetstormsecurity.com/files/156642/PHP-FPM-7.x-Remote-Code-Execution.html

Url: https://support.apple.com/kb/HT210919

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T62LF4ZWVV7OMMIZFO6IFO5QLZKK7YRD/

Url: https://access.redhat.com/errata/RHSA-2019:3724

Url: https://access.redhat.com/errata/RHSA-2019:3300

Url: https://security.netapp.com/advisory/ntap-20191031-0003/

Url: https://usn.ubuntu.com/4166-1/

Url: https://access.redhat.com/errata/RHSA-2020:0322

Url: https://access.redhat.com/errata/RHSA-2019:3287

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FSNBUSPKMLUHHOADROKNG5GDWDCRHT5M/

Url: https://access.redhat.com/security/cve/CVE-2019-11043

Url: https://www.tenable.com/security/tns-2021-14

Url: https://access.redhat.com/errata/RHSA-2019:3286

Url: https://nvd.nist.gov/vuln/detail/CVE-2019-11043

Url: https://github.com/neex/phuip-fpizdam

Url: https://www.debian.org/security/2019/dsa-4553

Url: https://www.debian.org/security/2019/dsa-4552

Url: https://support.f5.com/csp/article/K75408500?utm_source=f5support&%3Butm_medium=RSS

Url: https://access.redhat.com/errata/RHSA-2019:3735

Url: https://access.redhat.com/errata/RHSA-2019:3736

Url: https://www.synology.com/security/advisory/Synology_SA_19_36

Url: https://bugs.php.net/bug.php?id=78599

Url: https://www.mend.io/vulnerability-database/CVE-2019-11043

Severity Score

8.7

Weakness Type (CWE)

Out-of-bounds Write

CWE-787

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CWE-120

Top Fix

Upgrade Version

Upgrade to version 7.1.33,7.2.24,7.3.11

Learn More

CVSS v3.1

Base Score:	8.7
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

CVSS v2

Base Score:	7.5
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2019-11043

Good to know:

Date: October 28, 2019

Language: PHP

Severity Score

Related Resources (30)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?