5.3

CVE-2019-11046

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren't ASCII numbers. This can read to disclosure of the content of some memory locations.

Data is provided by the National Vulnerability Database (NVD)
PhpPhp Version >= 7.2.0 <= 7.2.26
PhpPhp Version >= 7.3.0 <= 7.3.13
PhpPhp Version7.4.0
DebianDebian Linux Version8.0
DebianDebian Linux Version9.0
DebianDebian Linux Version10.0
FedoraprojectFedora Version30
FedoraprojectFedora Version31
OpensuseLeap Version15.1
CanonicalUbuntu Linux Version12.04 SwEdition-
CanonicalUbuntu Linux Version14.04 SwEditionesm
CanonicalUbuntu Linux Version16.04 SwEditionesm
CanonicalUbuntu Linux Version18.04 SwEditionlts
CanonicalUbuntu Linux Version19.04
CanonicalUbuntu Linux Version19.10
TenableSecuritycenter Version < 5.19.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 7.89% 0.917
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:P/I:N/A:N
security@php.net 3.7 2.2 1.4
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

https://seclists.org/bugtraq/2020/Feb/27
Third Party Advisory
Mailing List
https://seclists.org/bugtraq/2020/Feb/31
Third Party Advisory
Mailing List
https://seclists.org/bugtraq/2021/Jan/3
Third Party Advisory
Mailing List
https://usn.ubuntu.com/4239-1/
Third Party Advisory
https://bugs.php.net/bug.php?id=78878
Patch
Vendor Advisory
Mailing List