CVE-2019-13225
Advisory lineage Upstream: 0 Downstream: 7
Modified
Published: 10 Jul 2019, 13:50
Last modified:04 Aug 2024, 23:49
Vulnerability Summary
Overall Risk (default)
medium
26/100 CVSS Score
6.5 MEDIUM
v3.1 (nvd)
EPSS Score
0.13% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
10 Jul 2019, 13:50
Published
Vulnerability first disclosed
04 Aug 2024, 23:49
Last Modified
Vulnerability information updated
Description
A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to potentially cause denial of service by providing a crafted regular expression. Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.
CVSS Metrics
- v3.1•MEDIUM•Score: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
- v2.0•MEDIUM•Score: 4.3AV:N/AC:M/Au:N/C:N/I:N/A:P
EPSS Trends
Current EPSS score: 0.13%• Percentile: 32%
Techniques & Countermeasures
- CWE-476•NULL Pointer Dereference
The product dereferences a pointer that it expects to be valid but is NULL.
Affected Systems
- fedoraproject•fedora
29 | 30
- oniguruma_project•oniguruma
6.9.2
References (4)
- https://github.com/kkos/oniguruma/commit/c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNL26OZSQRVLEO6JRNUVIMZTICXBNEQW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWCPDTZOIUKGMFAD5NAKUB7FPJFAIQN5/
- https://security.gentoo.org/glsa/201911-03