Buffer overflow in PHP



| Updated: 2020-07-17
Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2019-9641
CWE-ID CWE-119
Exploitation vector Network
Public exploit N/A
Vulnerable software
 PHP
Universal components / Libraries / Scripting languages

Vendor PHP Group

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Buffer overflow

EUVDB-ID: #VU31148

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-9641

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_TIFF.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PHP: 7.3.0alpha1 - 7.3.2

CPE2.3 External links

https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00083.html
https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00104.html
https://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html
https://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html
https://bugs.php.net/bug.php?id=77509
https://lists.debian.org/debian-lts-announce/2019/03/msg00043.html
https://security.netapp.com/advisory/ntap-20190502-0007/
https://usn.ubuntu.com/3922-1/
https://usn.ubuntu.com/3922-2/
https://usn.ubuntu.com/3922-3/
https://www.debian.org/security/2019/dsa-4403


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###