CVE-2019-11046

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren't ASCII numbers. This can read to disclosure of the content of some memory locations.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
3.7 LOW
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
phpCNA
3.7 LOW
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 92%
VendorProductVersion
phpphp
7.2.0 ≤
𝑥
≤ 7.2.26
phpphp
7.3.0 ≤
𝑥
≤ 7.3.13
phpphp
7.4.0
debiandebian_linux
8.0
debiandebian_linux
9.0
debiandebian_linux
10.0
opensuseleap
15.1
canonicalubuntu_linux
12.04
canonicalubuntu_linux
14.04
canonicalubuntu_linux
16.04
canonicalubuntu_linux
18.04
canonicalubuntu_linux
19.04
canonicalubuntu_linux
19.10
tenablesecuritycenter
𝑥
< 5.19.0
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
php5
eoan
dne
disco
dne
bionic
dne
xenial
dne
trusty
Fixed 5.5.9+dfsg-1ubuntu4.29+esm8
released
php7.0
eoan
dne
disco
dne
bionic
dne
xenial
Fixed 7.0.33-0ubuntu0.16.04.9
released
trusty
dne
php7.2
eoan
dne
disco
Fixed 7.2.24-0ubuntu0.19.04.2
released
bionic
Fixed 7.2.24-0ubuntu0.18.04.2
released
xenial
dne
trusty
dne
php7.3
eoan
Fixed 7.3.11-0ubuntu0.19.10.2
released
disco
dne
bionic
dne
xenial
dne
trusty
dne
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00036.html
https://bugs.php.net/bug.php?id=78878
https://lists.debian.org/debian-lts-announce/2019/12/msg00034.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N7GCOAE6KVHYJ3UQ4KLPLTGSLX6IRVRN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWRQPYXVG43Q7DXMXH6UVWMKWGUW552F/
https://seclists.org/bugtraq/2020/Feb/27
https://seclists.org/bugtraq/2020/Feb/31
https://seclists.org/bugtraq/2021/Jan/3
https://security.netapp.com/advisory/ntap-20200103-0002/
https://support.f5.com/csp/article/K48866433?utm_source=f5support&amp%3Butm_medium=RSS
https://usn.ubuntu.com/4239-1/
https://www.debian.org/security/2020/dsa-4626
https://www.debian.org/security/2020/dsa-4628
https://www.tenable.com/security/tns-2021-14
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00036.html
https://bugs.php.net/bug.php?id=78878
https://lists.debian.org/debian-lts-announce/2019/12/msg00034.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N7GCOAE6KVHYJ3UQ4KLPLTGSLX6IRVRN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWRQPYXVG43Q7DXMXH6UVWMKWGUW552F/
https://seclists.org/bugtraq/2020/Feb/27
https://seclists.org/bugtraq/2020/Feb/31
https://seclists.org/bugtraq/2021/Jan/3
https://security.netapp.com/advisory/ntap-20200103-0002/
https://support.f5.com/csp/article/K48866433?utm_source=f5support&amp%3Butm_medium=RSS
https://usn.ubuntu.com/4239-1/
https://www.debian.org/security/2020/dsa-4626
https://www.debian.org/security/2020/dsa-4628
https://www.tenable.com/security/tns-2021-14