ByteOS Network

NVD Vulnerability Details :

CVE-2019-9023

Modified

Source-cve@mitre.org

Published At-22 Feb, 2019 | 23:29

Updated At-18 Jun, 2019 | 18:15

An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcomp.c, ext/mbstring/oniguruma/regexec.c, ext/mbstring/oniguruma/regparse.c, ext/mbstring/oniguruma/enc/unicode.c, and ext/mbstring/oniguruma/src/utf32_be.c when a multibyte regular expression pattern contains invalid multibyte sequences.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.0	9.8	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary	2.0	7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P

Type: Primary

Version: 3.0

Base score: 9.8

Base severity: CRITICAL

Vector:

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Type: Primary

Version: 2.0

Base score: 7.5

Base severity: HIGH

Vector:

AV:N/AC:L/Au:N/C:P/I:P/A:P

CPE Matches

The PHP Group

>>php>>Versions before 5.6.40(exclusive)

cpe:2.3:a:php:php:*:*:*:*:*:*:*:*

The PHP Group

>>php>>Versions from 7.0.0(inclusive) to 7.1.26(exclusive)

cpe:2.3:a:php:php:*:*:*:*:*:*:*:*

The PHP Group

>>php>>Versions from 7.2.0(inclusive) to 7.2.14(exclusive)

cpe:2.3:a:php:php:*:*:*:*:*:*:*:*

The PHP Group

>>php>>Versions from 7.3.0(inclusive) to 7.3.1(exclusive)

cpe:2.3:a:php:php:*:*:*:*:*:*:*:*

Debian GNU/Linux

>>debian_linux>>9.0

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Canonical Ltd.

>>ubuntu_linux>>12.04

cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*

Canonical Ltd.

>>ubuntu_linux>>14.04

cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*

Canonical Ltd.

>>ubuntu_linux>>16.04

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

NetApp, Inc.

>>storage_automation_store>>-

cpe:2.3:a:netapp:storage_automation_store:-:*:*:*:*:*:*:*

openSUSE

>>leap>>42.3

cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-125	Primary	nvd@nist.gov

CWE ID: CWE-125

Type: Primary

Source: nvd@nist.gov

References

Hyperlink	Source	Resource
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00083.html	cve@mitre.org	Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00104.html	cve@mitre.org	Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html	cve@mitre.org	N/A
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html	cve@mitre.org	N/A
http://www.securityfocus.com/bid/107156	cve@mitre.org	Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2019:2519	cve@mitre.org	N/A
https://access.redhat.com/errata/RHSA-2019:3299	cve@mitre.org	N/A
https://bugs.php.net/bug.php?id=77370	cve@mitre.org	Exploit Issue Tracking Patch Vendor Advisory
https://bugs.php.net/bug.php?id=77371	cve@mitre.org	Issue Tracking Exploit Vendor Advisory Patch
https://bugs.php.net/bug.php?id=77381	cve@mitre.org	Exploit Issue Tracking Patch Vendor Advisory
https://bugs.php.net/bug.php?id=77382	cve@mitre.org	Exploit Issue Tracking Patch Vendor Advisory
https://bugs.php.net/bug.php?id=77385	cve@mitre.org	Exploit Issue Tracking Patch Vendor Advisory
https://bugs.php.net/bug.php?id=77394	cve@mitre.org	Exploit Issue Tracking Patch Vendor Advisory
https://bugs.php.net/bug.php?id=77418	cve@mitre.org	Exploit Issue Tracking Patch Vendor Advisory
https://security.netapp.com/advisory/ntap-20190321-0001/	cve@mitre.org	Patch Third Party Advisory
https://support.f5.com/csp/article/K06372014	cve@mitre.org	Third Party Advisory
https://usn.ubuntu.com/3902-1/	cve@mitre.org	Third Party Advisory
https://usn.ubuntu.com/3902-2/	cve@mitre.org	Third Party Advisory
https://www.debian.org/security/2019/dsa-4398	cve@mitre.org	Third Party Advisory