CVE-2019-9637
- Source
- https://cve.org/CVERecord?id=CVE-2019-9637
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-9637.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2019-9637
- Downstream
- Related
- Published
- 2019-03-09T00:29:00.520Z
- Modified
- 2026-04-10T04:20:54.759494Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
An issue was discovered in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. Due to the way rename() across filesystems is implemented, it is possible that file being renamed is briefly available with wrong permissions while the rename is ongoing, thus enabling unauthorized users to access the data.
- References
-
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00012.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html
- https://www.tenable.com/security/tns-2019-07
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html
- https://access.redhat.com/errata/RHSA-2019:3299
- https://support.f5.com/csp/article/K53825211
- https://usn.ubuntu.com/3922-2/
- https://lists.debian.org/debian-lts-announce/2019/03/msg00043.html
- https://usn.ubuntu.com/3922-1/
- https://usn.ubuntu.com/3922-3/
- https://access.redhat.com/errata/RHSA-2019:2519
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00104.html
- https://security.netapp.com/advisory/ntap-20190502-0007/
- https://www.debian.org/security/2019/dsa-4403
- https://bugs.php.net/bug.php?id=77630
Affected packages
Git / github.com/php/php-src
Affected ranges
- Type
- GIT
- Repo
- https://github.com/php/php-src
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroducedFixedIntroducedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affected
- Database specific
{ "versions": [ { "introduced": "0" }, { "fixed": "7.1.27" }, { "introduced": "7.2.0" }, { "fixed": "7.2.16" }, { "introduced": "7.3.0" }, { "fixed": "7.3.3" }, { "introduced": "0" }, { "last_affected": "8.0" } ] }
Affected versions
Other
POST_64BIT_BRANCH_MERGE
POST_AST_MERGE
POST_PHP7_NSAPI_REMOVAL
POST_PHP7_REMOVALS
POST_PHPNG_MERGE
PRE_64BIT_BRANCH_MERGE
PRE_AST_MERGE
PRE_PHP7_EREG_MYSQL_REMOVALS
PRE_PHP7_NSAPI_REMOVAL
PRE_PHP7_REMOVALS
php-7.*
php-7.3.3RC1
php-8.*
php-8.0.0
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-9637.json"
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "9.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.04"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.04"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "16.04"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "18.04"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "18.10"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "42.3"
}
]
}
]