CVE-2019-11043

8.7 HIGH CISA KEV - Actively Exploited
Published: October 28, 2019 Modified: November 03, 2025
View on NVD

Description

In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00011.html
Source: security@php.net
Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00014.html
Source: security@php.net
Mailing List Third Party Advisory
http://packetstormsecurity.com/files/156642/PHP-FPM-7.x-Remote-Code-Execution.html
Source: security@php.net
Exploit Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2020/Jan/40
Source: security@php.net
Mailing List Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3286
Source: security@php.net
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3287
Source: security@php.net
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3299
Source: security@php.net
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3300
Source: security@php.net
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3724
Source: security@php.net
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3735
Source: security@php.net
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3736
Source: security@php.net
Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0322
Source: security@php.net
Third Party Advisory
https://bugs.php.net/bug.php?id=78599
Source: security@php.net
Exploit Issue Tracking Patch Vendor Advisory
https://github.com/neex/phuip-fpizdam
Source: security@php.net
Exploit Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3W23TP6X4H7LB645FYZLUPNIRD5W3EPU/
Source: security@php.net
Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FSNBUSPKMLUHHOADROKNG5GDWDCRHT5M/
Source: security@php.net
Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T62LF4ZWVV7OMMIZFO6IFO5QLZKK7YRD/
Source: security@php.net
Mailing List Third Party Advisory
https://seclists.org/bugtraq/2020/Jan/44
Source: security@php.net
Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20191031-0003/
Source: security@php.net
Third Party Advisory
https://support.apple.com/kb/HT210919
Source: security@php.net
Third Party Advisory
https://support.f5.com/csp/article/K75408500?utm_source=f5support&amp%3Butm_medium=RSS
Source: security@php.net
Third Party Advisory
https://usn.ubuntu.com/4166-1/
Source: security@php.net
Third Party Advisory
https://usn.ubuntu.com/4166-2/
Source: security@php.net
Third Party Advisory
https://www.debian.org/security/2019/dsa-4552
Source: security@php.net
Mailing List Third Party Advisory
https://www.debian.org/security/2019/dsa-4553
Source: security@php.net
Mailing List Third Party Advisory
https://www.synology.com/security/advisory/Synology_SA_19_36
Source: security@php.net
Third Party Advisory
https://www.tenable.com/security/tns-2021-14
Source: security@php.net
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00011.html
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00014.html
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Third Party Advisory
http://packetstormsecurity.com/files/156642/PHP-FPM-7.x-Remote-Code-Execution.html
Source: af854a3a-2127-422b-91ae-364da2661108
Exploit Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2020/Jan/40
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3286
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3287
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3299
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3300
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3724
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3735
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3736
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0322
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://bugs.php.net/bug.php?id=78599
Source: af854a3a-2127-422b-91ae-364da2661108
Exploit Issue Tracking Patch Vendor Advisory
https://github.com/neex/phuip-fpizdam
Source: af854a3a-2127-422b-91ae-364da2661108
Exploit Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3W23TP6X4H7LB645FYZLUPNIRD5W3EPU/
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FSNBUSPKMLUHHOADROKNG5GDWDCRHT5M/
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T62LF4ZWVV7OMMIZFO6IFO5QLZKK7YRD/
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Third Party Advisory
https://seclists.org/bugtraq/2020/Jan/44
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20191031-0003/
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://support.apple.com/kb/HT210919
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://support.f5.com/csp/article/K75408500?utm_source=f5support&amp%3Butm_medium=RSS
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://usn.ubuntu.com/4166-1/
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://usn.ubuntu.com/4166-2/
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://www.debian.org/security/2019/dsa-4552
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Third Party Advisory
https://www.debian.org/security/2019/dsa-4553
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Third Party Advisory
https://www.synology.com/security/advisory/Synology_SA_19_36
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://www.tenable.com/security/tns-2021-14
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11043
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
US Government Resource

55 reference(s) from NVD

Quick Stats

CVSS v3 Score
8.7 / 10.0
EPSS (Exploit Probability)
94.1%
100th percentile
Exploitation Status
Actively Exploited
Remediation due: 2022-04-15

Weaknesses (CWE)

CWE-120 CWE-787

Affected Vendors

php redhat canonical debian tenable fedoraproject

Related CVEs

CVE-2025-52691 10.0
CVE-2025-15168 7.3
CVE-2025-15167 7.3
CVE-2025-15166 7.3
CVE-2025-15165 7.3