CVE-2018-10545
- Source
- https://cve.org/CVERecord?id=CVE-2018-10545
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-10545.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2018-10545
- Downstream
- Related
- Published
- 2018-04-29T21:29:00.277Z
- Modified
- 2026-04-11T06:58:33.963758Z
- Severity
-
- 4.7 (Medium) CVSS_V3 - CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
An issue was discovered in PHP before 5.6.35, 7.0.x before 7.0.29, 7.1.x before 7.1.16, and 7.2.x before 7.2.4. Dumpable FPM child processes allow bypassing opcache access controls because fpmunix.c makes a PRSET_DUMPABLE prctl call, allowing one user (in a multiuser environment) to obtain sensitive information from the process memory of a second user's PHP applications by running gcore on the PID of the PHP-FPM worker process.
- References
-
- https://www.debian.org/security/2018/dsa-4240
- https://www.tenable.com/security/tns-2018-12
- http://www.securityfocus.com/bid/104022
- https://access.redhat.com/errata/RHSA-2019:2519
- https://security.gentoo.org/glsa/201812-01
- https://security.netapp.com/advisory/ntap-20180607-0003/
- https://usn.ubuntu.com/3646-1/
- https://usn.ubuntu.com/3646-2/
- https://lists.debian.org/debian-lts-announce/2018/05/msg00004.html
- https://lists.debian.org/debian-lts-announce/2018/06/msg00005.html
- http://php.net/ChangeLog-5.php
- http://php.net/ChangeLog-7.php
- https://bugs.php.net/bug.php?id=75605
Affected packages
Git / github.com/php/php-src
Affected ranges
- Type
- GIT
- Repo
- https://github.com/php/php-src
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroducedFixedIntroducedFixedIntroducedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affected
- Database specific
{ "versions": [ { "introduced": "0" }, { "fixed": "5.6.35" }, { "introduced": "7.0.0" }, { "fixed": "7.0.29" }, { "introduced": "7.1.0" }, { "fixed": "7.1.16" }, { "introduced": "7.2.0" }, { "fixed": "7.2.4" }, { "introduced": "0" }, { "last_affected": "7.0" }, { "introduced": "0" }, { "last_affected": "8.0" } ] }
Affected versions
Other
POST_64BIT_BRANCH_MERGE
POST_AST_MERGE
POST_PHP7_NSAPI_REMOVAL
POST_PHP7_REMOVALS
POST_PHPNG_MERGE
PRE_64BIT_BRANCH_MERGE
PRE_AST_MERGE
PRE_PHP7_EREG_MYSQL_REMOVALS
PRE_PHP7_NSAPI_REMOVAL
PRE_PHP7_REMOVALS
php-7.*
php-7.0.0
php-7.1.16RC1
php-8.*
php-8.0.0
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-10545.json"
vanir_signatures
[
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"256365884870753358372710319244770316957",
"230611153719690024403978117961271284794",
"102921983361664405159817029964854163626",
"314773791019620477757473304779551723829"
]
},
"id": "CVE-2018-10545-0ba347cc",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/php/php-src/commit/f52597c960e2e3f46fb96bf1d11b7b03ed338f84",
"target": {
"file": "sapi/fpm/fpm/fpm_unix.c"
}
},
{
"digest": {
"length": 3862.0,
"function_hash": "287442094763772067342266346183851523533"
},
"id": "CVE-2018-10545-3cbcde99",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/php/php-src/commit/f52597c960e2e3f46fb96bf1d11b7b03ed338f84",
"target": {
"function": "fpm_unix_init_child",
"file": "sapi/fpm/fpm/fpm_unix.c"
}
},
{
"digest": {
"length": 5732.0,
"function_hash": "277853390626986811607452198894226224441"
},
"id": "CVE-2018-10545-4f93f49d",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/php/php-src/commit/f52597c960e2e3f46fb96bf1d11b7b03ed338f84",
"target": {
"function": "fpm_conf_dump",
"file": "sapi/fpm/fpm/fpm_conf.c"
}
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"256511797819681255547969006441959424448",
"170070270104641774874597543346518647493",
"121743950867872505806597948820614470705",
"242090551949141085346613766795016436438",
"295134697379924912630054271846860817862",
"260598572435739408847505379837062082534",
"216713436482603700555238819130138446343",
"304870878083177849104934347341857056093",
"108754229275187834165973092560493734346",
"173508882186227559114645650907357673409",
"42193457222507860198891650040648699561",
"256217340988184821380731613952953168297"
]
},
"id": "CVE-2018-10545-acf8bc68",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/php/php-src/commit/f52597c960e2e3f46fb96bf1d11b7b03ed338f84",
"target": {
"file": "sapi/fpm/fpm/fpm_conf.c"
}
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"40588419778845794792413482029445539851",
"164442732053218752669806283308602697138",
"22712446989311435435055743798677487384",
"206944676588201666044630381716353874484"
]
},
"id": "CVE-2018-10545-b65a498f",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/php/php-src/commit/f52597c960e2e3f46fb96bf1d11b7b03ed338f84",
"target": {
"file": "sapi/fpm/fpm/fpm_conf.h"
}
},
{
"digest": {
"length": 671.0,
"function_hash": "267983799647513806905976755268945309230"
},
"id": "CVE-2018-10545-ff51c531",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/php/php-src/commit/f52597c960e2e3f46fb96bf1d11b7b03ed338f84",
"target": {
"function": "fpm_worker_pool_config_alloc",
"file": "sapi/fpm/fpm/fpm_conf.c"
}
}
]
vanir_signatures_modified
"2026-04-11T06:58:33Z"
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.04"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.04"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "16.04"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "17.10"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "18.04"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "9.0"
}
]
}
]