CVE-2019-11044

Name of the Vulnerable Software and Affected Versions PHP versions 7.2.x through 7.2.25 PHP versions 7.3.x through 7.3.12 PHP version 7.4.0

Description The issue is related to the link() function in PHP, which accepts filenames with embedded 0 byte and treats them as terminating at that byte. This could lead to security issues, such as in applications checking paths that the code is allowed to access. The vulnerability is associated with insufficient input validation, allowing a remote attacker to gain unauthorized access to information.

Recommendations For PHP versions 7.2.x through 7.2.25, update to version 7.2.26 or later. For PHP versions 7.3.x through 7.3.12, update to version 7.3.13 or later. For PHP version 7.4.0, update to a later version that addresses this issue. As a temporary workaround, consider restricting the use of the link() function until a patch is available.