CVE-2019-11043

Summary

In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.

Affected Software

VendorProductVersion RangeStatus
PHPPHP7.1.x < 7.1.33affected
PHPPHP7.2.x < 7.2.24affected
PHPPHP7.3.x < 7.3.11affected

Weaknesses

  • CWE-120: CWE-120 Buffer Overflow

Workarounds

Configuring nginx (or other server that implements the front-end part of the FPM protocol) to check for the existence of the target file before passing it to PHP FPM (e.g. "try_files $uri =404" or "if (-f $uri)" in nginx) for would prevent this vulnerability from happening.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: active
    • Automatable: no
    • Technical Impact: total

Additional References

References