Releases1
Last Release
Downloads2.6K
Rust bindings for the PHP runtime

CVE History

CVEAffectedPublishedCVSS v3CVSS v2
>= 8.4.0, < 8.4.21, >= 8.5.0, < 8.5.67.5 HIGH

In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application.

>= 8.4.0, < 8.4.21, >= 8.5.0, < 8.5.69.1 CRITICAL

In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.

>= 8.2.0, < 8.2.31, >= 8.3.0, < 8.3.31, >= 8.4.0, < 8.4.21, >= 8.5.0, < 8.5.67.5 HIGH

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process.

>= 8.2.0, < 8.2.31, >= 8.3.0, < 8.3.31, >= 8.4.0, < 8.4.21, >= 8.5.0, < 8.5.67.5 HIGH

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element.  This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service.

>= 8.2.0, < 8.2.31, >= 8.3.0, < 8.3.31, >= 8.4.0, < 8.4.21, >= 8.5.0, < 8.5.69.8 CRITICAL

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across requests via session storage. However, in the case SOAP requests results in an error, the persistance is handled incorrectly, resulting in freeing the object while keeping a pointer to it, which may lead to use-after-free. This may lead to memory corruption, information disclosure, or process crashes, with confidentiality, integrity, and availability impact on the vulnerable system.

>= 8.2.0, < 8.2.31, >= 8.3.0, < 8.3.31, >= 8.4.0, < 8.4.21, >= 8.5.0, < 8.5.66.5 MEDIUM

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to  a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to mb_regex_encoding().

>= 8.2.0, < 8.2.21, >= 8.3.0, < 8.3.31, >= 8.4.0, < 8.4.21, >= 8.5.0, < 8.5.67.5 HIGH

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which can trigger a denial of service.

>= 8.2.0, < 8.2.31, >= 8.3.0, < 8.3.31, >= 8.4.0, < 8.4.21, >= 8.5.0, < 8.5.66.1 MEDIUM

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.

>= 8.2.0, < 8.2.31, >= 8.3.0, < 8.3.31, >= 8.4.0, < 8.4.21, >= 8.5.0, < 8.5.69.8 CRITICAL

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.

>= 8.2.0, < 8.2.31, >= 8.3.0, < 8.3.31, >= 8.4.0, < 8.4.21, >= 8.5.0, < 8.5.69.8 CRITICAL

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.

>= 8.1.0, < 8.1.34, >= 8.2.0, < 8.2.30, >= 8.3.0, < 8.3.29, >= 8.4.0, < 8.4.16, >= 8.5.0, < 8.5.17.5 HIGH

In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence (such as \x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in pdo_parse_params() function. This may lead to crashes (segmentation fault) and affect the availability of the target server.

>= 8.1.0, < 8.1.34, >= 8.2.0, < 8.2.30, >= 8.3.0, < 8.3.29, >= 8.4.0, < 8.4.16, = 8.5.07.5 HIGH

In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server.

>= 8.1.0, < 8.1.34, >= 8.2.0, < 8.2.30, >= 8.3.0, < 8.3.29, >= 8.4.0, < 8.4.16, >= 8.5.0, < 8.5.16.5 MEDIUM

In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.

>= 8.1.0, < 8.1.33, >= 8.2.0, < 8.2.29, >= 8.3.0, < 8.3.23, >= 8.4.0, < 8.4.103.7 LOW

In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation that the hostname supplied does not contain null characters. This may lead to other functions like parse_url() treat the hostname in different way, thus opening way to security problems if the user code implements access checks before access using such functions.

>= 8.1.0, < 8.1.33, >= 8.2.0, < 8.2.29, >= 8.3.0, < 8.3.23, >= 8.4.0, < 8.4.105.9 MEDIUM

In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* pgsql and pdo_pgsql escaping functions do not check if the underlying quoting functions returned errors. This could cause crashes if Postgres server rejects the string as invalid.

>= 8.1.0, < 8.1.33, >= 8.2.0, < 8.2.29, >= 8.3.0, < 8.3.23, >= 8.4.0, < 8.4.105.9 MEDIUM

In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 when parsing XML data in SOAP extensions, overly large (>2Gb) XML namespace prefix may lead to null pointer dereference. This may lead to crashes and affect the availability of the target server.

>= 8.3.0, < 8.3.19, >= 8.4.0, < 8.4.58.1 HIGH

In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??=  operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution.

>= 8.1.0, < 8.1.32, >= 8.2.0, < 8.2.28, >= 8.3.0, < 8.3.19, >= 8.4.0, < 8.4.55.3 MEDIUM

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.

>= 8.1.0, < 8.1.32, >= 8.2.0, < 8.2.28, >= 8.3.0, < 8.3.19, >= 8.4.0, < 8.4.57.3 HIGH

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may prevent certain headers from being sent or lead to certain headers be misinterpreted.

>= 8.3.0, < 8.3.14, >= 8.2.0, < 8.2.26, >= 8.1.0, < 8.1.31, >= 8.4.0, < 8.4.59.8 CRITICAL

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location.

>= 8.1.0, < 8.1.32, >= 8.2.0, < 8.2.28, >= 8.3.0, < 8.3.19, >= 8.4.0, < 8.4.55.3 MEDIUM

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations.

>= 8.1.0, < 8.1.32, >= 8.2.0, < 8.2.28, >= 8.3.0, < 8.3.19, >= 8.4.0, < 8.4.53.1 LOW

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when http request module parses HTTP response obtained from a server, folded headers are parsed incorrectly, which may lead to misinterpreting the response and using incorrect headers, MIME types, etc.

>= 8.0.0, < 8.0.27, >= 8.1.0, < 8.1.15, >= 8.2.0, < 8.2.29.1 CRITICAL

In PHP versions 8.0.* before 8.0.27, 8.1.* before 8.1.15, 8.2.* before 8.2.2 when using PDO::quote() function to quote user-supplied data for SQLite, supplying an overly long string may cause the driver to incorrectly quote the data, which may further lead to SQL injection vulnerabilities.

>= 8.3.0, < 8.3.14, >= 8.2.0, < 8.2.26, >= 8.1.0, < 8.1.314.8 MEDIUM

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, due to an error in convert.quoted-printable-decode filter certain data can lead to buffer overread by one byte, which can in certain circumstances lead to crashes or disclose content of other memory areas.

>= 8.3.0, < 8.3.14, >= 8.2.0, < 8.2.26, >= 8.1.0, < 8.1.319.8 CRITICAL

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.

>= 8.3.0, < 8.3.14, >= 8.2.0, < 8.2.26, >= 8.1.0, < 8.1.314.8 MEDIUM

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user.

>= 8.3.0, < 8.3.14, >= 8.2.0, < 8.2.26, >= 8.1.0, < 8.1.315.8 MEDIUM

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, a hostile MySQL server can cause the client to disclose the content of its heap containing data from other SQL requests and possible other data belonging to different users of the same server.

>= 8.3.0, < 8.3.14, >= 8.2.0, < 8.2.26, >= 8.1.0, < 8.1.319.8 CRITICAL

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.

>= 8.1.0, < 8.1.30, >= 8.2.0, < 8.2.24, >= 8.3.0, < 8.3.123.3 LOW

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.

>= 8.1.0, < 8.1.30, >= 8.2.0, < 8.2.24, >= 8.3.0, < 8.3.128.1 HIGH

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for  CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3  may still be bypassed and the same command injection related to Windows "Best Fit" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

>= 8.1.0, < 8.1.30, >= 8.2.0, < 8.2.24, >= 8.3.0, < 8.3.127.5 HIGH

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead to cgi.force_redirect option not being correctly applied. In certain configurations this may lead to arbitrary file inclusion in PHP.

>= 8.1.0, < 8.1.30, >= 8.2.0, < 8.2.24, >= 8.3.0, < 8.3.123.1 LOW

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could lead to legitimate data not being processed. This could lead to malicious attacker able to control part of the submitted data being able to exclude portion of other data, potentially leading to erroneous application behavior.

= *, >= 8.2.0, < 8.2.20, >= 8.3.0, < 8.3.8, >= 8.1.0, < 8.1.299.8 CRITICAL

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

>= 8.2.0, < 8.2.20, >= 8.3.0, < 8.3.8, >= 8.1.0, < 8.1.295.9 MEDIUM

The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable. PHP Windows builds for the versions 8.1.29, 8.2.20 and 8.3.8 and above include OpenSSL patches that fix the vulnerability.

>= 8.2.0, < 8.2.20, >= 8.3.0, < 8.3.8, >= 8.1.0, < 8.1.297.7 HIGH

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.

>= 8.2.0, < 8.2.20, >= 8.3.0, < 8.3.8, >= 8.1.0, < 8.1.29, >= 8.0.2, <= 8.0.30, >= 7.4.15, <= 7.4.33, >= 7.3.27, <= 7.3.335.3 MEDIUM

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly.

>= 8.3.0, < 8.3.57.5 HIGH

In PHP 8.3.* before 8.3.5, function mb_encode_mimeheader() runs endlessly for some inputs that contain long strings of non-space characters followed by a space. This could lead to a potential DoS attack if a hostile user sends data to an application that uses this function.

>= 8.3.0, < 8.3.5, >= 8.1.0, < 8.1.28, >= 8.2.0, < 8.2.186.5 MEDIUM

In PHP  version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.

>= 8.3.0, < 8.3.5, >= 8.1.0, < 8.1.28, >= 8.2.0, < 8.2.189.4 CRITICAL

In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.

= *, < 8.1.28, >= 8.2.0, < 8.2.18, >= 8.3.0, < 8.3.69.8 CRITICAL

A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.

< 8.0.06.8 MEDIUM

php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering library. Prior to version 0.5.2, php-svg-lib fails to validate that font-family doesn't contain a PHAR url, which might leads to RCE on PHP < 8.0, and doesn't validate if external references are allowed. This might leads to bypass of restrictions or RCE on projects that are using it, if they do not strictly revalidate the fontName that is passed by php-svg-lib. The `Style::fromAttributes(`), or the `Style::parseCssStyle()` should check the content of the `font-family` and prevents it to use a PHAR url, to avoid passing an invalid and dangerous `fontName` value to other libraries. The same check as done in the `Style::fromStyleSheets` might be reused. Libraries using this library as a dependency might be vulnerable to some bypass of restrictions, or even remote code execution, if they do not double check the value of the `fontName` that is passed by php-svg-lib. Version 0.5.2 contains a fix for this issue.

< 8.0.226.2 MEDIUM

A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow.

= *, >= 8.1.0, < 8.1.22, >= 8.0.0, < 8.0.30, >= 8.2.0, < 8.2.99.4 CRITICAL

In PHP version 8.0.* before 8.0.30,  8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE.

= *, >= 8.1.0, < 8.1.22, >= 8.0.0, < 8.0.30, >= 8.2.0, < 8.2.98.6 HIGH

In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down.

>= 8.2.0, < 8.2.7, >= 8.1.0, < 8.1.20, >= 8.0.0, < 8.0.292.6 LOW

In PHP versions 8.0.* before 8.0.29, 8.1.* before 8.1.20, 8.2.* before 8.2.7 when using SOAP HTTP Digest Authentication, random value generator was not checked for failure, and was using narrower range of values than it should have. In case of random generator failure, it could lead to a disclosure of 31 bits of uninitialized memory from the client to the server, and it also made easier to a malicious server to guess the client's nonce. 

>= 8.2.0, < 8.2.3, >= 8.1.0, < 8.1.16, >= 8.0.0, < 8.0.287.7 HIGH

In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid.

>= 8.2.0, < 8.2.3, >= 8.1.0, < 8.1.16, >= 8.0.0, < 8.0.287.5 HIGH

In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small. When resolving paths with lengths close to system MAXPATHLEN setting, this may lead to the byte after the allocated buffer being overwritten with NUL value, which might lead to unauthorized data access or modification.

>= 8.2.0, < 8.2.3, >= 8.1.0, < 8.1.16, >= 8.0.0, < 8.0.287.5 HIGH

In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consumption and excessive number of log entries. This can cause denial of service on the affected server by exhausting CPU resources or disk space.

= *, >= 8.0.0, < 8.0.25, >= 7.4.0, < 7.4.33, >= 8.1.0, < 8.1.126.5 MEDIUM

In PHP versions prior to 7.4.33, 8.0.25 and 8.1.12, when using imageloadfont() function in gd extension, it is possible to supply a specially crafted font file, such as if the loaded font is used with imagechar() function, the read outside allocated buffer will be used. This can lead to crashes or disclosure of confidential information. 

>= 8.0.0, < 8.0.25, >= 8.1.0, < 8.1.12, >= 7.2.0, < 7.4.339.8 CRITICAL

The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.

>= 8.1.0, < 8.1.11, >= 8.0.0, < 8.0.24, < 7.4.316.5 MEDIUM

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications.

>= 8.1.0, < 8.1.11, >= 8.0.0, < 8.0.24, < 7.4.312.3 LOW

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.

>= 8.1.0, < 8.1.87.7 HIGH

In PHP versions 8.1.x below 8.1.8, when fileinfo functions, such as finfo_buffer, due to incorrect patch applied to the third party code from libmagic, incorrect function may be used to free allocated memory, which may lead to heap corruption.

>= 8.1.0, < 8.1.7, >= 8.0.0, < 8.0.20, >= 7.4.0, < 7.4.307.5 HIGH6 MEDIUM

In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the connection, password of excessive length can trigger a buffer overflow in PHP, which can lead to a remote code execution vulnerability.

>= 8.1.0, < 8.1.7, >= 8.0.0, < 8.0.20, >= 7.4.0, < 7.4.308.1 HIGH6.8 MEDIUM

In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parametrized query may lead to PHP attempting to free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of service.

>= 8.1.0, < 8.1.3, >= 8.0.0, < 8.0.16, >= 7.4.0, < 7.4.288.2 HIGH6.8 MEDIUM

In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE. This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max limits.

>= 8.0.0, < 8.0.13, >= 7.4.0, < 7.4.26, >= 7.3.0, < 7.3.335.3 MEDIUM5 MEDIUM

In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended.

>= 7.3.0, <= 7.3.31, >= 7.4.0, < 7.4.25, >= 8.0.0, < 8.0.127.8 HIGH6.9 MEDIUM

In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-privileged users, it is possible for the child processes to access memory shared with the main process and write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and writes, which can be used to escalate privileges from local unprivileged user to the root user.

>= 7.3.0, < 7.3.31, >= 7.4.0, < 7.4.24, >= 8.0.0, < 8.0.115.3 MEDIUM4.3 MEDIUM

In PHP versions 7.3.x below 7.3.31, 7.4.x below 7.4.24 and 8.0.x below 8.0.11, in Microsoft Windows environment, ZipArchive::extractTo may be tricked into writing a file outside target directory when extracting a ZIP file, thus potentially causing files to be created or overwritten, subject to OS permissions.

>= 8.0.0, < 8.0.8, >= 7.4.0, < 7.4.21, >= 7.3.0, < 7.3.294.3 MEDIUM5 MEDIUM

In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially leading to other security implications - like contacting a wrong server or making a wrong access decision.

>= 8.0.0, < 8.0.8, >= 7.4.0, < 7.4.21, >= 7.3.0, < 7.3.295 MEDIUM4.3 MEDIUM

In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using Firebird PDO driver extension, a malicious database server could cause crashes in various database functions, such as getAttribute(), execute(), fetch() and others by returning invalid response data that is not parsed correctly by the driver. This can result in crashes, denial of service or potentially memory corruption.

= 5.0.0, = 7.0.0, = 8.0.06.1 MEDIUM4.3 MEDIUM

XMB is vulnerable to cross-site scripting (XSS) due to inadequate filtering of BBCode input. This bug affects all versions of XMB. All XMB installations must be updated to versions 1.9.12.03 or 1.9.11.16.

>= 7.3.0, < 7.3.26, >= 7.4.0, < 7.4.14, >= 8.0.0, < 8.0.15.3 MEDIUM5 MEDIUM

In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL. This may lead to functions that rely on URL being valid to mis-parse the URL and produce wrong data as components of the URL.

>= 7.3.0, < 7.3.27, >= 7.4.0, < 7.4.15, >= 8.0.0, < 8.0.25.3 MEDIUM5 MEDIUM

In PHP versions 7.3.x below 7.3.27, 7.4.x below 7.4.15 and 8.0.x below 8.0.2, when using SOAP extension to connect to a SOAP server, a malicious SOAP server could return malformed XML data as a response that would cause PHP to access a null pointer and thus cause a crash.

>= 7.4.0, < 7.4.11, >= 7.3.0, < 7.3.23, >= 7.2.0, < 7.2.344.3 MEDIUM5 MEDIUM

In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-8184 for more information.

>= 7.4.0, < 7.4.11, >= 7.3.0, < 7.3.23, >= 7.2.0, < 7.2.345.4 MEDIUM6.4 MEDIUM

In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used. This can lead to both decreased security and incorrect encryption data.

>= 7.4.0, < 7.4.9, >= 7.3.0, < 7.3.21, >= 7.2.0, < 7.2.334.8 MEDIUM3.3 LOW

In PHP versions 7.2.x below 7.2.33, 7.3.x below 7.3.21 and 7.4.x below 7.4.9, while processing PHAR files using phar extension, phar_parse_zipfile could be tricked into accessing freed memory, which could lead to a crash or information disclosure.

< 7.2.167.5 HIGH5 MEDIUM

An issue was discovered in Chadha PHPKB 9.0 Enterprise Edition. installer/test-connection.php (part of the installation process) allows a remote unauthenticated attacker to disclose local files on hosts running PHP before 7.2.16, or on hosts where the MySQL ALLOW LOCAL DATA INFILE option is enabled.

>= 7.4.0, < 7.4.6, >= 7.3.0, < 7.3.18, >= 7.2.0, < 7.2.315.3 MEDIUM5 MEDIUM

In PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18 and 7.4.x below 7.4.6, when HTTP file uploads are allowed, supplying overly long filenames or field names could lead PHP engine to try to allocate oversized memory storage, hit the memory limit and stop processing the request, without cleaning up temporary files created by upload request. This potentially could lead to accumulation of uncleaned temporary files exhausting the disk space on the target server.

>= 7.4.0, < 7.4.5, >= 7.3.0, < 7.3.17, >= 7.2.0, < 7.2.307.5 HIGH5 MEDIUM

In PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17 and 7.4.x below 7.4.5, if PHP is compiled with EBCDIC support (uncommon), urldecode() function can be made to access locations past the allocated memory, due to erroneously using signed numbers as array indexes.

>= 7.3.0, < 7.3.16, >= 7.2.0, < 7.2.29, >= 7.4.0, < 7.4.45.3 MEDIUM4.3 MEDIUM

In PHP versions 7.2.x below 7.2.29, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using get_headers() with user-supplied URL, if the URL contains zero (\0) character, the URL will be silently truncated at it. This may cause some software to make incorrect assumptions about the target of the get_headers() and possibly send some information to a wrong server.

>= 7.3.0, < 7.3.16, >= 7.4.0, < 7.4.47.4 HIGH6.8 MEDIUM

In PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using mb_strtolower() function with UTF-32LE encoding, certain invalid strings could cause PHP to overwrite stack-allocated buffer. This could lead to memory corruption, crashes and potentially code execution.

>= 7.3.0, < 7.3.16, >= 7.2.0, < 7.2.29, >= 7.4.0, < 7.4.46.5 MEDIUM5.8 MEDIUM

In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while parsing EXIF data with exif_read_data() function, it is possible for malicious data to cause PHP to read one byte of uninitialized memory. This could potentially lead to information disclosure or crash.

>= 7.2.0, <= 7.2.27, >= 7.3.0, <= 7.3.14, >= 7.4.0, <= 7.4.27.5 HIGH4.3 MEDIUM

In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when using file upload functionality, if upload progress tracking is enabled, but session.upload_progress.cleanup is set to 0 (disabled), and the file upload fails, the upload procedure would try to clean up data that does not exist and encounter null pointer dereference, which would likely lead to a crash.

>= 7.2.0, <= 7.2.27, >= 7.3.0, <= 7.3.14, >= 7.4.0, <= 7.4.25.5 MEDIUM5 MEDIUM

In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive using PharData::buildFromIterator() function, the files are added with default permissions (0666, or all access) even if the original files on the filesystem were with more restrictive permissions. This may result in files having more lax permissions than intended when such archive is extracted.

>= 7.2.0, <= 7.2.27, >= 7.3.0, <= 7.3.14, >= 7.4.0, <= 7.4.26.5 MEDIUM6.4 MEDIUM

In PHP versions 7.3.x below 7.3.15 and 7.4.x below 7.4.3, while extracting PHAR files on Windows using phar extension, certain content inside PHAR file could lead to one-byte read past the allocated buffer. This could potentially lead to information disclosure or crash.

>= 5.6.0, < 5.6.19.8 CRITICAL6.8 MEDIUM

Use-after-free vulnerability in the add_post_var function in the Posthandler component in PHP 5.6.x before 5.6.1 might allow remote attackers to execute arbitrary code by leveraging a third-party filter extension that accesses a certain ksep value.

>= 5.3.0, <= 5.3.107.5 HIGH7.8 HIGH

regcomp in the BSD implementation of libc is vulnerable to denial of service due to stack exhaustion.

>= 7.4.0, < 7.4.2, >= 7.2.0, < 7.2.27, >= 7.3.0, < 7.3.146.5 MEDIUM6.4 MEDIUM

When using certain mbstring functions to convert multibyte encodings, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause function mbfl_filt_conv_big5_wchar to read past the allocated buffer. This may lead to information disclosure or crash.

>= 7.4.0, < 7.4.2, >= 7.2.0, < 7.2.27, >= 7.3.0, < 7.3.146.5 MEDIUM6.4 MEDIUM

When using fgetss() function to read data with stripping tags, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause this function to read past the allocated buffer. This may lead to information disclosure or crash.

< 5.4.24, >= 5.4.25, < 5.5.88.8 HIGH6.5 MEDIUM

The create function in app/code/core/Mage/Catalog/Model/Product/Api/V2.php in Magento Community Edition (CE) before 1.9.2.1 and Enterprise Edition (EE) before 1.14.2.1, when used with PHP before 5.4.24 or 5.5.8, allows remote authenticated users to execute arbitrary PHP code via the productData parameter to index.php/api/v2_soap.

>= 5.5.0, < 5.5.26, >= 5.4.0, < 5.4.41, >= 5.6.0, < 5.6.97.8 HIGH6.8 MEDIUM

The compile_branch function in PCRE before 8.37 allows context-dependent attackers to compile incorrect code, cause a denial of service (out-of-bounds heap read and crash), or possibly have other unspecified impact via a regular expression with a group containing a forward reference repeated a large number of times within a repeated outer group that has a zero minimum quantifier.

>= 5.5.0, < 5.5.26, >= 5.4.0, < 5.4.41, >= 5.6.0, < 5.6.95.5 MEDIUM4.3 MEDIUM

The pcre_compile2 function in PCRE before 8.37 allows context-dependent attackers to compile incorrect code and cause a denial of service (out-of-bounds read) via regular expression with a group containing both a forward referencing subroutine call and a recursive back reference, as demonstrated by "((?+1)(\1))/".

= 7.4.0, >= 7.3.0, <= 7.3.13, >= 7.2.0, <= 7.2.263.7 LOW4.3 MEDIUM

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.

= 7.4.0, >= 7.3.0, <= 7.3.13, >= 7.2.0, <= 7.2.264.8 MEDIUM6.4 MEDIUM

When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.

= 7.4.0, >= 7.3.0, <= 7.3.13, >= 7.2.0, <= 7.2.263.7 LOW5 MEDIUM

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren't ASCII numbers. This can read to disclosure of the content of some memory locations.

= 7.4.0, >= 7.2.0, < 7.2.26, >= 7.3.0, < 7.3.134.8 MEDIUM6.4 MEDIUM

When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.

>= 7.3.0, <= 7.3.13, = 7.4.06.5 MEDIUM7.5 HIGH

In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is supplied in lowercase, this can result in double-freeing certain memory locations.

= 7.4.0, >= 7.3.0, <= 7.3.13, >= 7.2.0, <= 7.2.263.7 LOW5 MEDIUM

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 on Windows, PHP link() function accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.

< 5.3.69.8 CRITICAL7.5 HIGH

SQL injection vulnerability in Zend Framework 1.10.x before 1.10.9 and 1.11.x before 1.11.6 when using non-ASCII-compatible encodings in conjunction PDO_MySql in PHP before 5.3.6.

>= 7.3.0, < 7.3.107.5 HIGH5 MEDIUM

Oniguruma through 6.9.3, as used in PHP 7.3.x and other products, has a heap-based buffer over-read in str_lower_case_match in regexec.c.

>= 5.0.0, < 5.4.47.5 HIGH5 MEDIUM

PHP5 before 5.4.4 allows passing invalid utf-8 strings via the xmlTextWriterWriteAttribute, which are then misparsed by libxml2. This results in memory leak into the resulting output.

>= 7.1.0, < 7.1.33, >= 7.2.0, < 7.2.24, >= 7.3.0, < 7.3.118.7 HIGH7.5 HIGH

In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.

>= 7.1.0, < 7.1.31, >= 7.2.0, < 7.2.21, >= 7.3.0, < 7.3.87.1 HIGH5.8 MEDIUM

When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.

>= 7.1.0, < 7.1.31, >= 7.2.0, < 7.2.21, >= 7.3.0, < 7.3.87.1 HIGH5.8 MEDIUM

When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.

>= 7.0.0, < 7.0.165 MEDIUM

main/streams/xp_socket.c in PHP 7.x before 2017-03-07 misparses fsockopen calls, such as by interpreting fsockopen('127.0.0.1:80', 443) as if the address/port were 127.0.0.1:80:443, which is later truncated to 127.0.0.1:80. This behavior has a security risk if the explicitly provided port number (i.e., 443 in this example) is hardcoded into an application as a security policy, but the hostname argument (i.e., 127.0.0.1:80 in this example) is obtained from untrusted input.

>= 7.3.0, < 7.3.9, >= 7.2.0, < 7.2.23, >= 7.1.0, < 7.1.329.8 CRITICAL7.5 HIGH

A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.

>= 7.3.0, < 7.3.6, >= 7.1.0, < 7.1.30, >= 7.2.0, < 7.2.195.3 MEDIUM5 MEDIUM

When using the gdImageCreateFromXbm() function in the GD Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code.

>= 7.3.0, < 7.3.6, >= 7.1.0, < 7.1.30, >= 7.2.0, < 7.2.199.1 CRITICAL6.4 MEDIUM

Function iconv_mime_decode_headers() in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 may perform out-of-buffer read due to integer overflow when parsing MIME headers. This may lead to information disclosure or crash.

>= 7.3.0, < 7.3.6, >= 7.1.0, < 7.1.30, >= 7.2.0, < 7.2.199.1 CRITICAL6.4 MEDIUM

When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.

>= 7.3.0, < 7.3.5, >= 7.2.0, < 7.2.18, >= 7.1.0, < 7.1.299.1 CRITICAL6.4 MEDIUM

When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.29, 7.2.x below 7.2.18 and 7.3.x below 7.3.5 can be caused to read past allocated buffer in exif_process_IFD_TAG function. This may lead to information disclosure or crash.

>= 7.3.0, < 7.3.4, >= 7.2.9, < 7.2.17, >= 7.1.0, < 7.1.289.1 CRITICAL6.4 MEDIUM

When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and 7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_iif_add_value function. This may lead to information disclosure or crash.

>= 7.3.0, < 7.3.4, >= 7.2.9, < 7.2.17, >= 7.1.0, < 7.1.289.1 CRITICAL6.4 MEDIUM

When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and 7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_process_IFD_TAG function. This may lead to information disclosure or crash.

>= 7.3.0, < 7.3.3, >= 7.0.0, < 7.1.276.8 MEDIUM

An issue was discovered in PHP 7.x before 7.1.27 and 7.3.x before 7.3.3. phar_tar_writeheaders_int in ext/phar/tar.c has a buffer overflow via a long link value. NOTE: The vendor indicates that the link value is used only when an archive contains a symlink, which currently cannot happen: "This issue allows theoretical compromise of security, but a practical attack is usually impossible.

< 7.1.27, >= 7.2.0, < 7.2.16, >= 7.3.0, < 7.3.37.5 HIGH5 MEDIUM

An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_MAKERNOTE because of mishandling the maker_note->offset relationship to value_len.

< 7.1.27, >= 7.2.0, < 7.2.16, >= 7.3.0, < 7.3.37.5 HIGH5 MEDIUM

An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_MAKERNOTE because of mishandling the data_len variable.

>= 7.2.0, < 7.2.16, >= 7.3.0, < 7.3.3, >= 7.1.0, < 7.1.277.5 HIGH5 MEDIUM

An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an Invalid Read in exif_process_SOFn.

< 7.1.27, >= 7.2.0, < 7.2.16, >= 7.3.0, < 7.3.39.8 CRITICAL7.5 HIGH

An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_TIFF.

< 7.1.27, >= 7.2.0, < 7.2.16, >= 7.3.0, < 7.3.35 MEDIUM

An issue was discovered in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. Due to the way rename() across filesystems is implemented, it is possible that file being renamed is briefly available with wrong permissions while the rename is ongoing, thus enabling unauthorized users to access the data.

>= 7.2.0, < 7.2.14, >= 7.0.0, < 7.1.26, < 5.6.40, >= 7.3.0, < 7.3.15 MEDIUM

An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. xmlrpc_decode() can allow a hostile XMLRPC server to cause PHP to read memory outside of allocated areas in base64_decode_xmlrpc in ext/xmlrpc/libxmlrpc/base64.c.

>= 7.3.0, < 7.3.17.5 HIGH

An issue was discovered in PHP 7.3.x before 7.3.1. An invalid multibyte string supplied as an argument to the mb_split() function in ext/mbstring/php_mbregex.c can cause PHP to execute memcpy() with a negative argument, which could read and write past buffers allocated for the data.

>= 7.2.0, < 7.2.14, >= 7.0.0, < 7.1.26, < 5.6.40, >= 7.3.0, < 7.3.17.5 HIGH

An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcomp.c, ext/mbstring/oniguruma/regexec.c, ext/mbstring/oniguruma/regparse.c, ext/mbstring/oniguruma/enc/unicode.c, and ext/mbstring/oniguruma/src/utf32_be.c when a multibyte regular expression pattern contains invalid multibyte sequences.

>= 7.2.0, < 7.2.14, >= 7.0.0, < 7.1.26, >= 7.3.0, < 7.3.25 MEDIUM

An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data. This affects php_parserr in ext/standard/dns.c for DNS_CAA and DNS_ANY queries.

>= 7.2.0, < 7.2.14, >= 7.0.0, < 7.1.26, < 5.6.40, >= 7.3.0, < 7.3.17.5 HIGH

An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file name, a different vulnerability than CVE-2018-20783. This is related to phar_detect_phar_fname_ext in ext/phar/phar.c.

>= 7.2.0, < 7.2.14, >= 7.0.0, < 7.1.26, < 5.6.40, >= 7.3.0, < 7.3.17.5 HIGH

An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc/xml_element.c.

< 5.6.39, >= 7.0.0, < 7.0.33, >= 7.1.0, < 7.1.25, >= 7.2.0, < 7.2.135 MEDIUM

In PHP before 5.6.39, 7.x before 7.0.33, 7.1.x before 7.1.25, and 7.2.x before 7.2.13, a buffer over-read in PHAR reading functions may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse a .phar file. This is related to phar_parse_pharfile in ext/phar/phar.c.