Plattform
php
Komponente
php
Behoben in
7.3.13
7.4.1
CVE-2019-11049 is a double-free vulnerability affecting the PHP mail() function on Windows systems. This flaw can lead to memory corruption when custom headers are supplied in lowercase, potentially causing application crashes or unexpected behavior. The vulnerability affects PHP versions 7.3.0 through 7.4.1. It was fixed in PHP version 7.4.1.
The core of the vulnerability lies in the handling of custom headers within the mail() function. When a custom header is supplied in lowercase, the flawed code can result in a double-free of memory locations. A double-free occurs when the same memory location is freed twice, leading to unpredictable behavior and potential crashes. While direct remote code execution is unlikely, a successful exploit could cause the PHP application to crash, leading to a denial of service. The impact is amplified in environments where the PHP application is critical for business operations, as an unexpected crash can disrupt services and potentially lead to data loss.
CVE-2019-11049 was published on December 23, 2019. As of the current date, there are no publicly known active campaigns exploiting this vulnerability. No exploitation details or proof-of-concept (POC) code have been publicly released. The vulnerability's severity is rated as MEDIUM, indicating a moderate risk. It is not currently listed on KEV or EPSS.
Exploit-Status
EPSS
2.80% (86% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2019-11049 is to upgrade to PHP version 7.4.1 or later. This version contains the fix that addresses the double-free condition. If upgrading is not immediately feasible, consider implementing a workaround by ensuring that all custom headers passed to the mail() function are consistently formatted (either all uppercase or all lowercase) to avoid triggering the flawed logic. While not a complete solution, this can reduce the likelihood of the vulnerability being exploited. After upgrading, confirm the fix by attempting to send an email with a custom header in lowercase and verifying that no errors or crashes occur.
Actualice a PHP versión 7.3.13 o superior, o a la versión 7.4.1 o superior. Esto corrige la vulnerabilidad de doble liberación de memoria al usar la función mail() con encabezados personalizados en minúsculas en Windows.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
PHP versions 7.3.x prior to 7.3.13 and version 7.4.0 on Windows are vulnerable.
Check the PHP version installed on your server. If it’s a vulnerable version, update to a patched version.
Yes, versions 7.3.13 and 7.4.1 or higher include the fix for this vulnerability.
Implement input validation to ensure custom headers are sent in a secure format, although this is not a complete solution.
Although there are no known public exploits, it is recommended to apply the fix to prevent future attacks.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.