Lucene search

K
cve[email protected]CVE-2019-11042
HistoryAug 09, 2019 - 8:15 p.m.

CVE-2019-11042

2019-08-0920:15:11
CWE-125
web.nvd.nist.gov
662
2
cve
2019
11042
php
exif
extension
buffer overflow
information disclosure
nvd

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:N/A:P

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H

6.8 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

57.4%

When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.

Affected configurations

NVD
Node
phpphpRange7.1.07.1.31
OR
phpphpRange7.2.07.2.21
OR
phpphpRange7.3.07.3.8
Node
debiandebian_linuxMatch8.0
OR
debiandebian_linuxMatch9.0
OR
debiandebian_linuxMatch10.0
Node
canonicalubuntu_linuxMatch12.04esm
OR
canonicalubuntu_linuxMatch14.04esm
OR
canonicalubuntu_linuxMatch16.04lts
OR
canonicalubuntu_linuxMatch18.04lts
OR
canonicalubuntu_linuxMatch19.04
Node
applemac_os_xRange<10.15.1
Node
opensuseleapMatch15.0
Node
redhatsoftware_collectionsMatch1.0
Node
tenabletenable.scRange<5.19.0

CNA Affected

[
  {
    "product": "PHP",
    "vendor": "PHP Group",
    "versions": [
      {
        "status": "affected",
        "version": "7.1.x below 7.1.31"
      },
      {
        "status": "affected",
        "version": "7.2.x below 7.2.21"
      },
      {
        "status": "affected",
        "version": "7.3.x below 7.3.8"
      }
    ]
  }
]

Social References

More

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:N/A:P

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H

6.8 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

57.4%