CVE-2019-11048
Temporary files are not cleaned after OOM when parsing HTTP request data
In PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18 and 7.4.x below 7.4.6, when HTTP file uploads are allowed, supplying overly long filenames or field names could lead PHP engine to try to allocate oversized memory storage, hit the memory limit and stop processing the request, without cleaning up temporary files created by upload request. This potentially could lead to accumulation of uncleaned temporary files exhausting the disk space on the target server.
We have discovered 638,410 live websites that are affected by CVE-2019-11048.
Affected Software
| Product |  PHP |
| Category | Programming Languages |
| Vulnerable Versions |
|
| Total Vulnerable Versions | 507 |
| Vulnerable Domains | 638,410 live websites (5.28% of PHP install base) |
Distribution by Website Rank
The diagram provides a graphic representation of the correlation between the occurrence of CVE-2019-11048 and the relative popularity of websitesDetails
- Published - May 11, 2020
- Updated - Jul 23, 2021
Credits
- jr at coredu dot mp
CWE
CVE References
CWE References
Countries
 United States | 125,895 websites |
 France | 248,652 websites |
 Russia | 68,291 websites |
 China | 20,973 websites |
 Germany | 14,841 websites |
 Poland | 13,266 websites |
 Italy | 12,350 websites |
 Belgium | 11,659 websites |
 Japan | 10,251 websites |
 Spain | 10,164 websites |
TLDs
| .com | 260,137 websites |
| .fr | 110,636 websites |
| .ru | 65,356 websites |
| .org | 26,193 websites |
| .net | 17,838 websites |
| .be | 13,050 websites |
| .pl | 10,379 websites |
| .it | 9,300 websites |
| .de | 9,110 websites |
| .nl | 7,007 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redGeographical Distribution
The distribution of websites across the globe that are exposed to CVE-2019-11048 through included software libraries and plugins.References
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OBA3TFZSP3TB5N4G24SO6BI64RJZXE3D/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XMDUQ7XFONY3BWTAQQUD3QUGZT6NFZUF/
- https://usn.ubuntu.com/4375-1/
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00045.html
- https://lists.debian.org/debian-lts-announce/2020/06/msg00033.html
- https://www.debian.org/security/2020/dsa-4717
- https://www.debian.org/security/2020/dsa-4719
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://bugs.php.net/bug.php?id=78875
- https://bugs.php.net/bug.php?id=78876
- https://security.netapp.com/advisory/ntap-20200528-0006/
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.tenable.com/security/tns-2021-14
Websites affected by CVE-2019-11048
Top websites that are affected by CVE-2019-11048. Please click on the "Contact us" button above to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***.*****.cz |  Czech Republic | *,*** | |
| *.cn | China | *,*** | |
| ***.*.cn | China | *,*** | |
| ***.*****.pl | Poland | *,*** | |
| *******.com | Germany | *,*** | |
| *****.***.cn | China | *,*** | |
| ***.*****.***.cn | China | *,*** | |
| *****.cn | China | *,*** | |
| ***.*****.cn | China | *,*** | |
| ***.*********.com | China | *,*** |