PT-2018-3138 · Php+3 · Php+3
Jd
·
Published
2018-03-29
·
Updated
2019-08-19
·
CVE-2018-10545
CVSS v3.1
4.7
Medium
| Vector | AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
PHP versions prior to 5.6.35
PHP versions 7.0.x prior to 7.0.29
PHP versions 7.1.x prior to 7.1.16
PHP versions 7.2.x prior to 7.2.4
Description
The issue is related to the lack of protection for service data in PHP's FPM child processes, allowing an attacker to bypass opcache access controls. This could enable an attacker to gain unauthorized access to sensitive information. In a multiuser environment, one user can exploit this issue to obtain sensitive information from another user's PHP applications by running gcore on the PID of the PHP-FPM worker process.
Recommendations
For PHP versions prior to 5.6.35, update to version 5.6.35 or later.
For PHP versions 7.0.x prior to 7.0.29, update to version 7.0.29 or later.
For PHP versions 7.1.x prior to 7.1.16, update to version 7.1.16 or later.
For PHP versions 7.2.x prior to 7.2.4, update to version 7.2.4 or later.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Php
Suse
Ubuntu