CVE-2019-9023

Advisory lineage Upstream: 0 Downstream: 16

Downstream

DLA-1679-1 DSA-4398-1 OPENSUSE-SU-2019:1572-1 OPENSUSE-SU-2019:1573-1 OPENSUSE-SU-2024:11167-1 OPENSUSE-SU-2024:11169-1

Modified

Published: 22 Feb 2019, 23:00

Last modified:04 Aug 2024, 21:38

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.8 CRITICAL

v3.0 (nvd)

EPSS Score

10.5% MEDIUM

11% probability -1.02%

KEV

Not listed

Ransomware

No reports

Public exploits

7 found

Dark Web

Not detected

Timeline

22 Feb 2019, 23:00

Published

Vulnerability first disclosed

04 Aug 2024, 21:38

Last Modified

Vulnerability information updated

Description

An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcomp.c, ext/mbstring/oniguruma/regexec.c, ext/mbstring/oniguruma/regparse.c, ext/mbstring/oniguruma/enc/unicode.c, and ext/mbstring/oniguruma/src/utf32_be.c when a multibyte regular expression pattern contains invalid multibyte sequences.

CVSS Metrics

v3.0•CRITICAL•Score: 9.8CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
v2.0•HIGH•Score: 7.5AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 10.50%• Percentile: 93%

Techniques & Countermeasures

CWE-125•Out-of-bounds Read
The product reads data past the end, or before the beginning, of the intended buffer.

Affected Systems

canonical•ubuntu_linux
12.04 | 14.04 | 16.04
debian•debian_linux
9.0
netapp•storage_automation_store
na
opensuse•leap
42.3
Unknown•PHP
< 5.6.40 | ≥ 7.0.0, < 7.1.26 | ≥ 7.2.0, < 7.2.14 | ≥ 7.3.0, < 7.3.1