Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.5
CVSSv2

CVE-2019-13224

Published: 10/07/2019 Updated: 07/11/2023
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 670
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Oniguruma Project

Vulnerability Summary

A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows malicious users to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

oniguruma project oniguruma 6.9.2

php php

fedoraproject fedora 29

fedoraproject fedora 30

debian debian linux 8.0

canonical ubuntu linux 14.04

canonical ubuntu linux 12.04

Vendor Advisories

Debian CVElist Bug Report Logs: libonig: CVE-2019-13224 CVE-2019-13225
Debian Bug report logs - #931878 libonig: CVE-2019-13224 CVE-2019-13225 Package: src:libonig; Maintainer for src:libonig is Jörg Frings-Fürst <debian@jffemail>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Thu, 11 Jul 2019 19:39:02 UTC Severity: important Tags: pending, security, upstream Found in ...
Ubuntu Security Notice: php5 vulnerability
PHP could be made to denial of service, expose sensitive information or execute arbitrary code if it received a specially crafted regular expression ...
Red Hat: Moderate: php:7.3 security, bug fix, and enhancement update
Synopsis Moderate: php:73 security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic An update for the php:73 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability ...
Red Hat: Moderate: oniguruma security update
Synopsis Moderate: oniguruma security update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for oniguruma is now available for Red Hat Enterprise Linux 88 Extended Update SupportRed Hat Product Security has ra ...
Red Hat: Moderate: oniguruma security update
Synopsis Moderate: oniguruma security update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for oniguruma is now available for Red Hat Enterprise Linux 86 Extended Update SupportRed Hat Product Security has ra ...
Amazon Linux 2: ALAS2-2019-1288
A use-after-free in onig_new_deluxe() in regextc in Oniguruma 692 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe() O ...
Amazon Linux AMI: ALAS-2019-1295
A use-after-free in onig_new_deluxe() in regextc in Oniguruma 692 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe() O ...
Amazon Linux AMI: ALAS-2019-1283
When PHP EXIF extension is parsing EXIF information from an image, eg via exif_read_data() function, in PHP versions 71x below 7131, 72x below 7221 and 73x below 738 it is possible to supply it with data what will cause it to read past the allocated buffer This may lead to information disclosure or crash(CVE-2019-11042) A use-after- ...
Red Hat: CVE-2019-13224
Impact: Low Public Date: 2019-06-27 CWE: CWE-416 Bugzilla: 1728970: CVE-2019-13224 oniguruma: use-after ...

Mailing Lists

Full Disclosure: Re: CVE 2019-13224 (UAF in PHP and Ruby regex lib)
<!--X-Body-Begin--> <!--X-User-Header--> Full Disclosure mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> Re: CVE 2019-13224 (UAF in PHP and Ruby regex lib) <!--X-Subject-Header-End--> <!--X-Head-of-Message--> From: Marcin ...

References

CWE-416https://github.com/kkos/oniguruma/commit/0f7f61ed1b7b697e283e37bd2d731d0bd57adb55https://lists.debian.org/debian-lts-announce/2019/07/msg00013.htmlhttps://usn.ubuntu.com/4088-1/https://support.f5.com/csp/article/K00103182https://security.gentoo.org/glsa/201911-03https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNL26OZSQRVLEO6JRNUVIMZTICXBNEQW/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWCPDTZOIUKGMFAD5NAKUB7FPJFAIQN5/https://support.f5.com/csp/article/K00103182?utm_source=f5support&%3Butm_medium=RSShttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931878https://usn.ubuntu.com/4088-1/https://nvd.nist.gov
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
XXECVE-2024-34490SQL injectionCVE-2024-34488CVE-2024-4507CVE-2023-7028CVE-2024-23187TCPCVE-2024-4439
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook