php
Corrigido em
7.2.26
7.3.13
7.4.1
CVE-2019-11046 is a memory disclosure vulnerability discovered in the PHP bcmath extension. This flaw allows attackers to potentially read beyond the allocated memory space when processing specially crafted input strings. The vulnerability impacts PHP versions 7.2.x prior to 7.2.26, 7.3.x prior to 7.3.13, and 7.4.0. A fix is available in PHP 7.4.1.
Successful exploitation of CVE-2019-11046 could allow an attacker to read sensitive information from the server's memory. While the vulnerability is rated as LOW severity, the potential for information disclosure is significant. An attacker could potentially gain access to configuration files, database credentials, or other sensitive data stored in memory. The impact is amplified if the server hosts web applications handling sensitive user data, as the attacker could potentially correlate memory contents with application behavior to infer further information. This vulnerability is particularly concerning on Windows systems due to the specific OS-level character identification behavior exploited.
CVE-2019-11046 was publicly disclosed on December 23, 2019. There is no indication of active exploitation campaigns targeting this vulnerability at this time. Public proof-of-concept exploits are available, demonstrating the feasibility of exploiting the memory disclosure. The vulnerability has not been added to the CISA KEV catalog.
Web applications and services relying on PHP versions 7.2.x prior to 7.2.26, 7.3.x prior to 7.3.13, and 7.4.0 are at risk. This includes shared hosting environments where multiple applications may be running on the same PHP installation. Systems with custom PHP configurations or extensions are also at increased risk if they have not been properly patched.
• linux / server:
journalctl -g "bcmath" -u php-fpm• generic web:
curl -I http://your-php-application/ | grep -i "bcmath"disclosure
Status do Exploit
EPSS
8.24% (percentil 92%)
Vetor CVSS
The primary mitigation for CVE-2019-11046 is to upgrade to a patched version of PHP. Upgrade to PHP 7.4.1 or later to eliminate the vulnerability. If upgrading is not immediately feasible, consider implementing temporary workarounds such as input validation to sanitize data passed to bcmath functions. While not a complete solution, this can reduce the attack surface. Monitor PHP error logs for unusual activity related to bcmath functions. After upgrading, confirm the fix by attempting to trigger the vulnerability with a known malicious input string and verifying that it no longer results in memory disclosure.
Actualice a la última versión de PHP. Si está utilizando PHP 7.2.x, actualice a la versión 7.2.26 o superior. Si está utilizando PHP 7.3.x, actualice a la versión 7.3.13 o superior. Si está utilizando PHP 7.4.0, actualice a la versión 7.4.1 o superior.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2019-11046 is a vulnerability in PHP's bcmath extension that allows attackers to read beyond allocated memory, potentially exposing sensitive data. It affects PHP versions 7.2.0–7.4.1 and is rated as LOW severity.
You are affected if you are running PHP versions 7.2.x prior to 7.2.26, 7.3.x prior to 7.3.13, or 7.4.0. Check your PHP version and upgrade if necessary.
Upgrade to PHP 7.4.1 or later to resolve the vulnerability. If upgrading is not possible, implement input validation for bcmath functions as a temporary workaround.
There is no current evidence of active exploitation campaigns targeting CVE-2019-11046, but public proof-of-concept exploits exist.
Refer to the official PHP security advisory: https://security.php.net/CVE-2019-11046
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.