CVE-2019-11045
DirectoryIterator class silently truncates after a null byteIn PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.
We have discovered 390,801 live websites that are affected by CVE-2019-11045.
Affected Software
| Product |  PHP |
| Category | Programming Languages |
| Vulnerable Domains | 390,801 live websites (4.48% of PHP install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 40 versions ( 7.31% of all versions) |
Common Weakness Enumeration
CWE-170 Improper Null TerminationDetails
- Published - Dec 23, 2019
- Updated - Sep 16, 2024
Credits
- Submitted by ryat at php.net
CWE
CVE References
CWE References
CVE-2019-11045 usage by Country
 United States | 143,557 websites |
 France | 176,164 websites |
 China | 11,020 websites |
 Germany | 8,316 websites |
 Russia | 7,655 websites |
 Japan | 3,613 websites |
 Netherlands | 3,159 websites |
 Poland | 3,083 websites |
 GB | 2,941 websites |
 Italy | 2,356 websites |
CVE-2019-11045 usage by TLD
| .com | 155,444 websites |
| .fr | 69,498 websites |
| .ru | 59,318 websites |
| .org | 14,236 websites |
| .net | 10,462 websites |
| .be | 8,180 websites |
| .pl | 6,563 websites |
| .de | 5,184 websites |
| .it | 5,022 websites |
| .eu | 3,581 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2019-11045
Top websites that are affected by CVE-2019-11045. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *.cn | China | *,*** | |
| *****.***.cn | China | *,*** | |
| *****.cn | China | *,*** | |
| *********.com | China | *,*** | |
| *******.com | United States | *,*** | |
| *****.com | United States | *,*** | |
| ******.com | United States | *,*** | |
| ***.***.edu | United States | *,*** | |
| ****.***.edu | United States | *,*** | |
| ***.****.gov | United States | *,*** |
FAQ
CVE-2019-11045 is Improper Null Termination in PHP
A total of 390,801 websites have been identified as vulnerable to CVE-2019-11045, discovered through global website indexing conducted by WebTechSurvey.
PHP is susceptible to CVE-2019-11045 vulnerability.
PHP versions before 7.4.1 are vulnerable to CVE-2019-11045.
Version 7.4.1 of PHP addresses the CVE-2019-11045 security vulnerability.
References
- https://bugs.php.net/bug.php?id=78863
- https://lists.debian.org/debian-lts-announce/2019/12/msg00034.html
- https://security.netapp.com/advisory/ntap-20200103-0002/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N7GCOAE6KVHYJ3UQ4KLPLTGSLX6IRVRN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWRQPYXVG43Q7DXMXH6UVWMKWGUW552F/
- https://usn.ubuntu.com/4239-1/
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00036.html
- https://seclists.org/bugtraq/2020/Feb/27
- https://www.debian.org/security/2020/dsa-4626
- https://www.debian.org/security/2020/dsa-4628
- https://seclists.org/bugtraq/2020/Feb/31
- https://seclists.org/bugtraq/2021/Jan/3
- https://www.tenable.com/security/tns-2021-14