Lucene search

[email protected]CVE-2019-9023

HistoryFeb 22, 2019 - 11:29 p.m.

CVE-2019-9023

2019-02-2223:29:00

CWE-125

[email protected]

web.nvd.nist.gov

981

php

cve-2019-9023

security

buffer over-read

multibyte

nvd

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.5 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

76.8%

JSON

An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcomp.c, ext/mbstring/oniguruma/regexec.c, ext/mbstring/oniguruma/regparse.c, ext/mbstring/oniguruma/enc/unicode.c, and ext/mbstring/oniguruma/src/utf32_be.c when a multibyte regular expression pattern contains invalid multibyte sequences.

Affected configurations

NVD

Node

phpphpRange<5.6.40

phpphpRange7.0.0–7.1.26

phpphpRange7.2.0–7.2.14

phpphpRange7.3.0–7.3.1

Node

debiandebian_linuxMatch9.0

Node

canonicalubuntu_linuxMatch12.04esm

canonicalubuntu_linuxMatch14.04lts

canonicalubuntu_linuxMatch16.04lts

Node

netappstorage_automation_storeMatch-

Node

opensuseleapMatch42.3

CPENameOperatorVersion
php:phpphplt5.6.40
php:phpphplt7.1.26
php:phpphplt7.2.14
php:phpphplt7.3.1

CPE	Name	Operator	Version
php:php	php	lt	5.6.40
php:php	php	lt	7.1.26
php:php	php	lt	7.2.14
php:php	php	lt	7.3.1

References

lists.opensuse.org/opensuse-security-announce/2019-04/msg00083.html

lists.opensuse.org/opensuse-security-announce/2019-04/msg00104.html

lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html

lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html

www.securityfocus.com/bid/107156

access.redhat.com/errata/RHSA-2019:2519

access.redhat.com/errata/RHSA-2019:3299

bugs.php.net/bug.php?id=77370

bugs.php.net/bug.php?id=77371

bugs.php.net/bug.php?id=77381

bugs.php.net/bug.php?id=77382

bugs.php.net/bug.php?id=77385

bugs.php.net/bug.php?id=77394

bugs.php.net/bug.php?id=77418

security.netapp.com/advisory/ntap-20190321-0001/

support.f5.com/csp/article/K06372014

usn.ubuntu.com/3902-1/

usn.ubuntu.com/3902-2/

www.debian.org/security/2019/dsa-4398

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.5 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

76.8%

JSON

Related for CVE-2019-9023

alpinelinux1 hackerone1 prion1 redhatcve1 ubuntucve1 debiancve1 nvd1 f51 veracode1 osv5 cvelist1 openvas20 nessus33 ubuntu2 debian1 suse4 ibm3 redhat3 oraclelinux1 almalinux1 rocky1 cloudlinux1 rosalinux1