CVE-2019-11048
php7.3 - security update
5.3
MEDIUM
CVSS 3.1
EPSS 12.7%
Description
In PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18 and 7.4.x below 7.4.6, when HTTP file uploads are allowed, supplying overly long filenames or field names could lead PHP engine to try to allocate oversized memory storage, hit the memory limit and stop processing the request, without cleaning up temporary files created by upload request. This potentially could lead to accumulation of uncleaned temporary files exhausting the disk space on the target server.
How to fix CVE-2019-11048
To remediate CVE-2019-11048, upgrade the affected package to a fixed version below.
- —upgrade to 5.6.40+dfsg-0+deb8u12 or later
- —upgrade to 7.0.33-0+deb9u8 or later
- —upgrade to 7.3.19-1~deb10u1 or later
- —upgrade to 7.4.9-1 or later
Is CVE-2019-11048 being exploited?
Moderate — EPSS is 12.7%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (4)
- from 0, < 5.6.40+dfsg-0+deb8u12
- from 0, < 7.0.33-0+deb9u8
- from 0, < 7.3.19-1~deb10u1
- from 0, < 7.4.9-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |