E19-7nk31
CVSS:
9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
False Positive:
f
Variants:
1
Year:
2019
Description
A buffer underflow vulnerability exists in PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11.
The vulnerability resides in 'init_request_info (fpm_main.c)' function and is a side-effect of no string length check when FCGI parameters are received from a nginx server.
An unauthenticated remote attacker can exploit the flaw to execute arbitrary code on the target server.