Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

PHP Permissions, Privileges, and Access Controls Vulnerability (CVE-2019-9637)

Description

An issue was discovered in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. Due to the way rename() across filesystems is implemented, it is possible that file being renamed is briefly available with wrong permissions while the rename is ongoing, thus enabling unauthorized users to access the data.

Remediation

References

Related Vulnerabilities

WordPress Plugin DW Question & Answer Security Bypass (1.2.9)

WordPress Plugin WPS Hide Login Security Bypass (1.9)

Apache read beyond bounds in mod_isapi Vulnerability (CVE-2022-28330)

Apache HTTP Server Improper Input Validation Vulnerability (CVE-2017-9788)

Artifactory Improper Input Validation Vulnerability (CVE-2019-19937)

Severity

High

Classification

CVE-2019-9637 CWE-264 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities