CVE-2019-11045

Summary

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.

Affected Software

VendorProductVersion RangeStatus
PHP GroupPHP7.2.x < 7.2.26affected
PHP GroupPHP7.3.x < 7.3.13affected
PHP GroupPHP7.4.x < 7.4.1affected

Weaknesses

  • CWE-170: CWE-170 Improper Null Termination

ADP Enrichment

CVE Program Container

Additional References

References