Vulnerability CVE-2019-11049: Information

Description

In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is supplied in lowercase, this can result in double-freeing certain memory locations.

Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2019-11049
Published: Dec. 23, 2019
Modified: Nov. 7, 2023
Error type identifier: CWE-415

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
php7p107.3.13-alt17.4.33-alt1ALT-PU-2019-3355-1243313Fixed
php7p97.3.13-alt17.3.33-alt1ALT-PU-2019-3390-1243314Fixed
php7c10f17.3.13-alt17.4.33-alt1ALT-PU-2019-3355-1243313Fixed
php7c9f27.3.13-alt17.4.33-alt1ALT-PU-2019-3390-1243314Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://bugs.php.net/bug.php?id=78943
  • Mailing List
  • Patch
  • Vendor Advisory
https://security.netapp.com/advisory/ntap-20200103-0002/
  • Third Party Advisory
20200218 [SECURITY] [DSA 4626-1] php7.3 security update
  • Mailing List
  • Third Party Advisory
DSA-4626
  • Third Party Advisory
https://www.tenable.com/security/tns-2021-14
  • Third Party Advisory
FEDORA-2019-437d94e271
    FEDORA-2019-a54a622670

        1. Configuration 1

          cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
          cpe:2.3:a:php:php:7.4.0:*:*:*:*:*:*:*
          Running on/with:
          cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

          Configuration 2

          cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
          cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*

          Configuration 3

          cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

          Configuration 4

          cpe:2.3:a:tenable:securitycenter:*:*:*:*:*:*:*:*
          End excliding
          5.19.0
      VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
      Version: v24.5.0
      Back to top