Lucene search

[email protected]CVE-2019-11042

HistoryAug 09, 2019 - 8:15 p.m.

CVE-2019-11042

2019-08-0920:15:11

CWE-125

[email protected]

web.nvd.nist.gov

665

cve

2019

11042

php

exif

extension

buffer overflow

information disclosure

nvd

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:N/A:P

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H

AI Score

6.8

Confidence

High

EPSS

0.003

Percentile

68.4%

JSON

When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.

Affected configurations

NVD

Node

phpphpRange7.1.0–7.1.31

phpphpRange7.2.0–7.2.21

phpphpRange7.3.0–7.3.8

Node

debiandebian_linuxMatch8.0

debiandebian_linuxMatch9.0

debiandebian_linuxMatch10.0

Node

canonicalubuntu_linuxMatch12.04esm

canonicalubuntu_linuxMatch14.04esm

canonicalubuntu_linuxMatch16.04lts

canonicalubuntu_linuxMatch18.04lts

canonicalubuntu_linuxMatch19.04

Node

applemac_os_xRange<10.15.1

Node

opensuseleapMatch15.0

Node

redhatsoftware_collectionsMatch1.0

Node

tenabletenable.scRange<5.19.0

CNA Affected

[
  {
    "product": "PHP",
    "vendor": "PHP Group",
    "versions": [
      {
        "status": "affected",
        "version": "7.1.x below 7.1.31"
      },
      {
        "status": "affected",
        "version": "7.2.x below 7.2.21"
      },
      {
        "status": "affected",
        "version": "7.3.x below 7.3.8"
      }
    ]
  }
]