VDB
CVE-2019-9675
CVE-2019-9675
PUBLISHED
An issue was discovered in PHP 7.x before 7.1.27 and 7.3.x before 7.3.3. phar_tar_writeheaders_int in ext/phar/tar.c has a buffer overflow via a long link value. NOTE: The vendor indicates that the link value is used only when an archive contains a symlink, which currently cannot happen: "This issue allows theoretical compromise of security, but a practical attack is usually impossible.
EPSS 0.49% · 65.9th percentile
Risk Scores
EPSS Score
0.49%
65.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:18.04:LTS | php7.2 | 0, 7.2.2-1ubuntu1, 7.2.2-1ubuntu2 |
| Ubuntu:16.04:LTS | php7.0 | 0, 7.0.1-6, 7.0.2-1 |
| Ubuntu:14.04:LTS | php5 | 0, 5.5.3+dfsg-1ubuntu2, 5.5.3+dfsg-1ubuntu3 |
Exploit Intelligence
- phar_tar_writeheaders_int() buffer overflow (hackerone)
- phar_tar_writeheaders_int() buffer overflow (hackerone)
- phar_tar_writeheaders_int() buffer overflow (hackerone)
- cve_db.json (github-poc)
- cve_db.json (github-poc)
- cve_db.json (github-poc)
- cve_db.json (github-poc)
- cve_db.json (github-poc)
- cve_db.json (github-poc)
Timeline
- CVE Published
- Nov 9, 2020 PoC Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2019-9675 third-party-advisory
- http://php.net/ChangeLog-7.php third-party-advisory
- https://ubuntu.com/security/notices/USN-3922-1 vendor-advisory
- https://ubuntu.com/security/notices/USN-3922-2 vendor-advisory
- https://ubuntu.com/security/notices/USN-3922-3 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2019-9675 third-party-advisory