Main Vulnerability Database SB2020021421

SB2020021421 - Denial of service in PCRE2

Published: February 14, 2020 Updated: June 17, 2020

Security Bulletin ID SB2020021421

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Out-of-bounds read (CVE-ID: CVE-2019-20454)

The vulnerability allows a remote attacker to gain access to perform denial of service (DoS) attack.

The vulnerability exists due to a boundary condition in the "do_extuni_no_utf in pcre2_jit_compile.c" file when the pattern X is JIT compiled and used to match specially crafted subjects in non-UTF mode. A remote attacker can trigger out-of-bounds read error and crash the affected application.

Remediation

Install update from vendor's website.

References

https://bugs.exim.org/show_bug.cgi?id=2421
https://bugs.php.net/bug.php?id=78338
https://bugzilla.redhat.com/show_bug.cgi?id=1735494
https://security.gentoo.org/glsa/202006-16
https://vcs.pcre.org/pcre2?view=revision&revision=1092