PublicDateAtUSN: 2019-03-08 Candidate: CVE-2019-9637 PublicDate: 2019-03-09 00:29:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9637 https://www.debian.org/security/2019/dsa-4403 https://ubuntu.com/security/notices/USN-3922-1 https://ubuntu.com/security/notices/USN-3922-2 https://ubuntu.com/security/notices/USN-3922-3 Description: An issue was discovered in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. Due to the way rename() across filesystems is implemented, it is possible that file being renamed is briefly available with wrong permissions while the rename is ongoing, thus enabling unauthorized users to access the data. Ubuntu-Description: Notes: Bugs: https://bugs.php.net/bug.php?id=77630 Priority: low Discovered-by: Assigned-to: leosilva CVSS: nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [7.5 HIGH] Patches_php5: upstream_php5: needs-triage precise/esm_php5: released (5.3.10-1ubuntu3.34) trusty_php5: released (5.5.9+dfsg-1ubuntu4.29) trusty/esm_php5: released (5.5.9+dfsg-1ubuntu4.29) xenial_php5: DNE bionic_php5: DNE cosmic_php5: DNE disco_php5: DNE devel_php5: DNE Patches_php7.0: upstream_php7.0: needs-triage precise/esm_php7.0: DNE trusty_php7.0: DNE trusty/esm_php7.0: DNE xenial_php7.0: released (7.0.33-0ubuntu0.16.04.3) esm-infra/xenial_php7.0: released (7.0.33-0ubuntu0.16.04.3) bionic_php7.0: DNE cosmic_php7.0: DNE disco_php7.0: DNE devel_php7.0: DNE Patches_php7.2: upstream: http://git.php.net/?p=php-src.git;a=commit;h=e3133e4db70476fb7adfdedb738483e2255ce0e1 upstream_php7.2: released (7.2.16) precise/esm_php7.2: DNE trusty_php7.2: DNE trusty/esm_php7.2: DNE xenial_php7.2: DNE bionic_php7.2: released (7.2.15-0ubuntu0.18.04.2) cosmic_php7.2: released (7.2.15-0ubuntu0.18.10.2) disco_php7.2: released (7.2.15-0ubuntu3) devel_php7.2: released (7.2.15-0ubuntu3) Patches_php7.3: upstream_php7.3: released (7.3.3) precise/esm_php7.3: DNE trusty_php7.3: DNE trusty/esm_php7.3: DNE xenial_php7.3: DNE bionic_php7.3: DNE cosmic_php7.3: DNE disco_php7.3: DNE devel_php7.3: not-affected (7.3.4-2)