In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.
References
Link Providers
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00011.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00014.html cve-icon cve-icon
http://packetstormsecurity.com/files/156642/PHP-FPM-7.x-Remote-Code-Execution.html cve-icon cve-icon
http://seclists.org/fulldisclosure/2020/Jan/40 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3286 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3287 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3299 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3300 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3724 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3735 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3736 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2020:0322 cve-icon cve-icon
https://bugs.php.net/bug.php?id=78599 cve-icon cve-icon
https://github.com/neex/phuip-fpizdam cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3W23TP6X4H7LB645FYZLUPNIRD5W3EPU/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FSNBUSPKMLUHHOADROKNG5GDWDCRHT5M/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T62LF4ZWVV7OMMIZFO6IFO5QLZKK7YRD/ cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2019-11043 cve-icon
https://seclists.org/bugtraq/2020/Jan/44 cve-icon cve-icon
https://security.netapp.com/advisory/ntap-20191031-0003/ cve-icon cve-icon
https://support.apple.com/kb/HT210919 cve-icon cve-icon
https://support.f5.com/csp/article/K75408500?utm_source=f5support&amp%3Butm_medium=RSS cve-icon cve-icon
https://usn.ubuntu.com/4166-1/ cve-icon cve-icon
https://usn.ubuntu.com/4166-2/ cve-icon cve-icon
https://www.cisa.gov/known-exploited-vulnerabilities-catalog cve-icon
https://www.cve.org/CVERecord?id=CVE-2019-11043 cve-icon
https://www.debian.org/security/2019/dsa-4552 cve-icon cve-icon
https://www.debian.org/security/2019/dsa-4553 cve-icon cve-icon
https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/ cve-icon
https://www.synology.com/security/advisory/Synology_SA_19_36 cve-icon cve-icon
https://www.tenable.com/security/tns-2021-14 cve-icon cve-icon
History

Wed, 14 Aug 2024 00:30:00 +0000

Type Values Removed Values Added
References

cve-icon MITRE

Status: PUBLISHED

Assigner: php

Published: 2019-10-28T14:19:04.252868Z

Updated: 2024-09-16T23:31:14.209Z

Reserved: 2019-04-09T00:00:00

Link: CVE-2019-11043

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2019-10-28T15:15:13.863

Modified: 2024-11-21T04:20:26.040

Link: CVE-2019-11043

cve-icon Redhat

Severity : Critical

Publid Date: 2019-10-24T00:00:00Z

Links: CVE-2019-11043 - Bugzilla