Out-of-bounds read in php7 (Alpine package)
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2019-11047 |
| CWE-ID | CWE-125 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
php7 (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Out-of-bounds read
EUVDB-ID: #VU33364
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-11047
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to #BASIC_IMPACT#.
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.
MitigationInstall update from vendor's website.
Vulnerable software versionsphp7 (Alpine package): 7.2.24-r0
External linkshttp://git.alpinelinux.org/aports/commit/?id=5ea4a0536e0f920f0bffd2ac54ce75665830e4ab
http://git.alpinelinux.org/aports/commit/?id=c34558aad0fa77a9c307564822690940e618b972
http://git.alpinelinux.org/aports/commit/?id=2e744b63543aae404c54b88ee4b4135a58449190
http://git.alpinelinux.org/aports/commit/?id=840f665bfeaa4de03d66d8a6d69ceb3a331e3bf6
http://git.alpinelinux.org/aports/commit/?id=89bf7fcf675ffb9138a3afe613cb1f7c918b57ac
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
