CVE-2019-9020

Name of the Vulnerable Software and Affected Versions PHP versions prior to 5.6.40 PHP versions 7.0.x through 7.1.25 PHP versions 7.2.x through 7.2.13 PHP versions 7.3.x through 7.3.0

Description An issue in PHP allows for invalid memory access due to invalid input to the xmlrpc decode() function, leading to a heap out of bounds read or read after free. This issue is related to the xml elem parse buf() function in ext/xmlrpc/libxmlrpc/xml element.c. The vulnerability can be exploited by a remote attacker to gain unauthorized access to protected data, related to a buffer overflow read.

Recommendations For PHP versions prior to 5.6.40, update to version 5.6.40 or later. For PHP versions 7.0.x through 7.1.25, update to version 7.1.26 or later. For PHP versions 7.2.x through 7.2.13, update to version 7.2.14 or later. For PHP versions 7.3.x through 7.3.0, update to version 7.3.1 or later. As a temporary workaround, consider disabling the xmlrpc decode() function until a patch is available. Restrict access to the xml elem parse buf() function in ext/xmlrpc/libxmlrpc/xml element.c to minimize the risk of exploitation.