Main Vulnerability Database Vulnerabilities #VU23097

#VU23097 Out-of-bounds read in Oniguruma - CVE-2019-19246

Published: November 29, 2019

Vulnerability identifier: #VU23097

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2019-19246

CWE-ID: CWE-125

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Oniguruma

Software vendor:
K.Kosako

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to heap-based buffer over-read in str_lower_case_match in regexec.c, if used with PPH 7.3. A remote attacker can perform a denial of service attack or gain access to sensitive information.

Remediation

Install update from vendor's website.

External links

https://bugs.php.net/bug.php?id=78559
https://github.com/kkos/oniguruma/commit/d3e402928b6eb3327f8f7d59a9edfa622fec557b