Main Vulnerability Database Vulnerabilities #VU23097

Out-of-bounds read in Oniguruma - CVE-2019-19246

Published: November 29, 2019

Vulnerability identifier: #VU23097

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2019-19246

CWE-ID: CWE-125

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: K.Kosako

Affected software:
Oniguruma

Detailed vulnerability description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to heap-based buffer over-read in str_lower_case_match in regexec.c, if used with PPH 7.3. A remote attacker can perform a denial of service attack or gain access to sensitive information.

How to mitigate CVE-2019-19246

Install update from vendor's website.

Sources

https://bugs.php.net/bug.php?id=78559
https://github.com/kkos/oniguruma/commit/d3e402928b6eb3327f8f7d59a9edfa622fec557b

Out-of-bounds read in Oniguruma - CVE-2019-19246

Detailed vulnerability description

How to mitigate CVE-2019-19246

Sources

Please verify you're human