PHP up to 5.6.39/7.1.25/7.2.13/7.3.0 RPC Server base64.c xmlrpc_decode out-of-bounds

Summaryinfo

A vulnerability has been found in PHP up to 5.6.39/7.1.25/7.2.13/7.3.0 and classified as critical. This issue affects the function xmlrpc_decode in the library ext/xmlrpc/libxmlrpc/base64.c of the component RPC Server. This manipulation causes out-of-bounds. This vulnerability appears as CVE-2019-9024. The attack may be initiated remotely. There is no available exploit. The affected component should be upgraded.

Detailsinfo

A vulnerability classified as critical was found in PHP up to 5.6.39/7.1.25/7.2.13/7.3.0 (Programming Language Software). Affected by this vulnerability is the function xmlrpc_decode in the library ext/xmlrpc/libxmlrpc/base64.c of the component RPC Server. The manipulation with an unknown input leads to a out-of-bounds vulnerability. The CWE definition for the vulnerability is CWE-125. The product reads data past the end, or before the beginning, of the intended buffer. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. xmlrpc_decode() can allow a hostile XMLRPC server to cause PHP to read memory outside of allocated areas in base64_decode_xmlrpc in ext/xmlrpc/libxmlrpc/base64.c.

The bug was discovered 02/22/2019. The weakness was presented 02/22/2019 (Website). The advisory is shared at securityfocus.com. This vulnerability is known as CVE-2019-9024 since 02/22/2019. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Technical details are known, but no exploit is available.

The commercial vulnerability scanner Qualys is able to test this issue with plugin 176624 (Debian Security Update for php7.0 (DSA 4398-1)).

Upgrading to version 5.6.40, 7.1.26, 7.2.14 or 7.3.1 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at SecurityFocus (BID 107156†). See VDB-131077, VDB-131109, VDB-131110 and VDB-131111 for similar entries. Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Type

• Programming Language Software

Name

• PHP

Version

• 5.6.0
• 5.6.1
• 5.6.2
• 5.6.3
• 5.6.4
• 5.6.5
• 5.6.6
• 5.6.7
• 5.6.8
• 5.6.9
• 5.6.10
• 5.6.11
• 5.6.12
• 5.6.13
• 5.6.14
• 5.6.15
• 5.6.16
• 5.6.17
• 5.6.18
• 5.6.19
• 5.6.20
• 5.6.21
• 5.6.22
• 5.6.23
• 5.6.24
• 5.6.25
• 5.6.26
• 5.6.27
• 5.6.28
• 5.6.29
• 5.6.30
• 5.6.31
• 5.6.32
• 5.6.33
• 5.6.34
• 5.6.35
• 5.6.36
• 5.6.37
• 5.6.38
• 5.6.39
• 7.0
• 7.1
• 7.1.0
• 7.1.1
• 7.1.2
• 7.1.3
• 7.1.4
• 7.1.5
• 7.1.6
• 7.1.7
• 7.1.8
• 7.1.9
• 7.1.10
• 7.1.11
• 7.1.12
• 7.1.13
• 7.1.14
• 7.1.15
• 7.1.16
• 7.1.17
• 7.1.18
• 7.1.19
• 7.1.20
• 7.1.21
• 7.1.22
• 7.1.23
• 7.1.24
• 7.1.25
• 7.2
• 7.2.0
• 7.2.1
• 7.2.2
• 7.2.3
• 7.2.4
• 7.2.5
• 7.2.6
• 7.2.7
• 7.2.8
• 7.2.9
• 7.2.10
• 7.2.11
• 7.2.12
• 7.2.13
• 7.3.0

License

• open-source

Website

• Product: https://www.php.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion