CVE-2019-13224

Description

A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.

CVSS Metrics

• v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
• v2.0•HIGH•Score: 7.5AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 0.54%• Percentile: 68%

Techniques & Countermeasures

• CWE-416•Use After Free

  The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Affected Systems

• canonical•ubuntu_linux

  12.04 | 14.04

• debian•debian_linux

  8.0

• fedoraproject•fedora

  29 | 30

• oniguruma_project•oniguruma

  6.9.2

• Unknown•PHP

  ≥ 7.1.0, < 7.1.32 | ≥ 7.2.0, < 7.2.23 | ≥ 7.3.0, < 7.3.9

References (8)

• https://github.com/kkos/oniguruma/commit/0f7f61ed1b7b697e283e37bd2d731d0bd57adb55
• https://lists.debian.org/debian-lts-announce/2019/07/msg00013.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNL26OZSQRVLEO6JRNUVIMZTICXBNEQW/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWCPDTZOIUKGMFAD5NAKUB7FPJFAIQN5/
• https://usn.ubuntu.com/4088-1/
• https://support.f5.com/csp/article/K00103182
• https://support.f5.com/csp/article/K00103182?utm_source=f5support&amp%3Butm_medium=RSS
• https://security.gentoo.org/glsa/201911-03