4.7

CVE-2018-10545

An issue was discovered in PHP before 5.6.35, 7.0.x before 7.0.29, 7.1.x before 7.1.16, and 7.2.x before 7.2.4. Dumpable FPM child processes allow bypassing opcache access controls because fpm_unix.c makes a PR_SET_DUMPABLE prctl call, allowing one user (in a multiuser environment) to obtain sensitive information from the process memory of a second user's PHP applications by running gcore on the PID of the PHP-FPM worker process.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
PhpPhp Version < 5.6.35
PhpPhp Version >= 7.0.0 < 7.0.29
PhpPhp Version >= 7.1.0 < 7.1.16
PhpPhp Version >= 7.2.0 < 7.2.4
CanonicalUbuntu Linux Version12.04 SwEditionesm
CanonicalUbuntu Linux Version14.04 SwEditionlts
CanonicalUbuntu Linux Version16.04 SwEditionlts
CanonicalUbuntu Linux Version17.10
CanonicalUbuntu Linux Version18.04 SwEditionlts
DebianDebian Linux Version7.0
DebianDebian Linux Version8.0
DebianDebian Linux Version9.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.07% 0.229
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.7 1 3.6
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 1.9 3.4 2.9
AV:L/AC:M/Au:N/C:P/I:N/A:N
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

http://php.net/ChangeLog-5.php
Patch
Vendor Advisory
http://php.net/ChangeLog-7.php
Patch
Vendor Advisory
http://www.securityfocus.com/bid/104022
Third Party Advisory
VDB Entry
https://bugs.php.net/bug.php?id=75605
Patch
Vendor Advisory
Issue Tracking
https://usn.ubuntu.com/3646-1/
Third Party Advisory
https://usn.ubuntu.com/3646-2/
Third Party Advisory