In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 on Windows, PHP link() function accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: php

Published: 2019-12-23T02:40:16.742266Z

Updated: 2024-09-17T01:47:06.457Z

Reserved: 2019-04-09T00:00:00

Link: CVE-2019-11044

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2019-12-23T03:15:10.913

Modified: 2024-11-21T04:20:26.257

Link: CVE-2019-11044

cve-icon Redhat

Severity :

Publid Date: 2019-11-23T00:00:00Z

Links: CVE-2019-11044 - Bugzilla