PHP-FPM Critical Vulnerability (CVE-2019-11043)

It became known about the critical vulnerability of PHP-FPM (CVE-2019-11043), which allows you to remotely execute malicious code on the server.

Corrective releases of PHP 7.3.11, 7.1.33 and 7.2.24 are already available, which fixed this vulnerability. You can find them here.

By information opennet.ru, the attack is possible in nginx configurations, in which the PHP-FPM forwarding is performed with the separation of URL parts using “fastcgi_split_path_info” and the definition of the PATH_INFO environment variable, but without first checking the existence of the file with the “try_files $fastcgi_script_name” directive or the “if (!-f $document_root$fastcgi_script_name)”.