CVE-2019-20838
Advisory lineage Upstream: 0 Downstream: 9
Modified
Published: 15 Jun 2020, 16:50
Last modified:05 Aug 2024, 02:53
Vulnerability Summary
Overall Risk (default)
medium
30/100 CVSS Score
7.5 HIGH
v3.1 (nvd)
EPSS Score
0.23% LOW
0% probability -0.07%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
15 Jun 2020, 16:50
Published
Vulnerability first disclosed
05 Aug 2024, 02:53
Last Modified
Vulnerability information updated
Description
libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \X or \R has more than one fixed quantifier, a related issue to CVE-2019-20454.
CVSS Metrics
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- v2.0•MEDIUM•Score: 4.3AV:N/AC:M/Au:N/C:N/I:N/A:P
EPSS Trends
Current EPSS score: 0.23%• Percentile: 46%
Techniques & Countermeasures
- CWE-125•Out-of-bounds Read
The product reads data past the end, or before the beginning, of the intended buffer.
Affected Systems
- Unknown•macOS
< 11.0.1
- pcre•pcre
< 8.43
- splunk•universal_forwarder
≥ 8.2.0, < 8.2.12 | ≥ 9.0.0, < 9.0.6 | 9.1.0
References (7)
- https://bugs.gentoo.org/717920
- https://www.pcre.org/original/changelog.txt
- https://support.apple.com/kb/HT211931
- http://seclists.org/fulldisclosure/2020/Dec/32
- https://support.apple.com/kb/HT212147
- http://seclists.org/fulldisclosure/2021/Feb/14
- https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E