cve

This document describes how CVEs are issued for vulnerabilities in PHP code.

For bug reporters

CVE numbers will be assigned to security issues by PHP developers. Please do not request CVEs for PHP issues independently, this would create confusion. If you need a CVE number for a certain issue before the fix is released and CVE is published, please contact security@php.net with explanation and bug number and the number will be allocated if necessary.

For PHP developers

The following is the procedure for issuing CVE to a vulnerability. If you do not have access to security issues, please ask somebody who does to follow this procedure (asking on security@php.net is a good way to start)

  1. If there's no bug on bugs.php.net for the issue, create one. Use type “Security” for it.
  2. Read the issues and ensure the vulnerability needs a CVE. Refer to https://wiki.php.net/security for guidance. The rules of thumb are:
    • What usually needs a CVE: an issue where remote user gets to read what is not supposed to be read, write what is not supposed to be written, crash what is not supp... you get the idea.
    • What usually does not need a CVE: configuration issues, security enhancements not linked to a specific vulnerability, issues requiring code execution access, issues triggered by code/configuration known to be insecure or unreachable, issues in non-release versions (e.g. master), third-party library issues (may be still issued CVE, but not by us).
  3. Take first item from the list of unallocated IDs below, and move it to the list of allocated IDs together with the bug ID
  4. If there's no unallocated IDs left, use “needed” in CVE field of the bug and notify security@php.net that new CVE number allocation is needed. We'll be watching the number of available ones and allocate more on need, but if certain release's bug harvest is particularly bountiful, they may run out quicker then expected.
  5. Edit the bug and add CVE id to the issue
  6. Once the bug is fixed, add the CVE number selected to the bug fix to the release notes (NEWS).
  7. Submit bug description to CVE list as described below

Submitting CVE data to MITRE

The following procedure is for making CVE report for MITRE database.

Preparation

Fork and clone repo in https://github.com/CVEProject/cvelist. Do not forget to update your fork from master each time new set of bugs is submitted. It is recommended to submit all issues for the release together.

For each issue

  1. Create JSON file describing the issue. https://vulnogram.github.io/ is a good tool for this.
  2. Add the resulting file with the name CVE-YEAR-NNNN.json into directory YEAR/NNxxx/ - e.g. CVE-2019-11035 goes to 2019/11xxx/CVE-2019-11035.json. Note there can already be a “reserved” file there, overwrite it (ensure it was empty before, mistakes happen)
  3. Create a commit with new issues in a separate branch
  4. Push it to your fork
  5. Create a pull request for upstream repository on github
  6. Wait for cvelist team to approve it
  7. PROFIT!!!

Reserved CVEs

Allocated

CVE Bug
CVE-2019-11034 https://bugs.php.net/77753
CVE-2019-11035 https://bugs.php.net/77831
CVE-2019-11036 https://bugs.php.net/77950
CVE-2019-11037 https://bugs.php.net/77791
CVE-2019-11038 https://bugs.php.net/77973
CVE-2019-11039 https://bugs.php.net/78069
CVE-2019-11040 https://bugs.php.net/77988
CVE-2019-11041 https://bugs.php.net/78222
CVE-2019-11042 https://bugs.php.net/78256
CVE-2019-11043 https://bugs.php.net/78599
CVE-2019-11044 https://bugs.php.net/78862
CVE-2019-11045 https://bugs.php.net/78863
CVE-2019-11046 https://bugs.php.net/78878
CVE-2019-11047 https://bugs.php.net/78910
CVE-2019-11048 https://bugs.php.net/78875
CVE-2019-11049 https://bugs.php.net/78943
CVE-2019-11050 https://bugs.php.net/78793
CVE-2020-7059 https://bugs.php.net/79099
CVE-2020-7060 https://bugs.php.net/79037
CVE-2020-7061 https://bugs.php.net/79171
CVE-2020-7062 https://bugs.php.net/79221
CVE-2020-7063 https://bugs.php.net/79082
CVE-2020-7064 https://bugs.php.net/79282
CVE-2020-7065 https://bugs.php.net/79371
CVE-2020-7066 https://bugs.php.net/79329
CVE-2020-7067 https://bugs.php.net/79465
CVE-2020-7068 https://bugs.php.net/79797
CVE-2020-7069 https://bugs.php.net/79601
CVE-2020-7070 https://bugs.php.net/79699
CVE-2020-7071 https://bugs.php.net/77423
CVE-2021-21702 https://bugs.php.net/80672
CVE-2021-21703 https://bugs.php.net/81026
CVE-2021-21704 https://bugs.php.net/76448
CVE-2021-21705 https://bugs.php.net/81122
CVE-2021-21706 https://bugs.php.net/81420
CVE-2021-21707 https://bugs.php.net/79971
CVE-2021-21708 https://bugs.php.net/81708
CVE-2022-31625 https://bugs.php.net/81720
CVE-2022-31626 https://bugs.php.net/81719
CVE-2022-31627 https://bugs.php.net/81723
CVE-2022-31628 https://bugs.php.net/81726
CVE-2022-31629 https://bugs.php.net/81727
CVE-2022-31630 https://bugs.php.net/81739

Unallocated

CVE-2022-31631
CVE-2022-31632
CVE-2022-31633
CVE-2022-31634

Old reserved CVEs:

CVE-2021-21709
CVE-2021-21710
CVE-2021-21711
CVE-2021-21712
CVE-2021-21713
CVE-2021-21714
CVE-2021-21715
CVE-2021-21716
CVE-2021-21717
CVE-2021-21718
CVE-2021-21719
CVE-2021-21720
CVE-2021-21721
CVE-2020-7072 	
CVE-2020-7073 	
CVE-2020-7074 	
CVE-2020-7075 	
CVE-2020-7076 	
CVE-2020-7077 	
CVE-2020-7078
cve.txt · Last modified: 2022/10/24 00:45 by stas