#VU30256 Out-of-bounds read in PCRE - CVE-2019-20838

Cybersecurity Help s.r.o.

Published: 2020-06-15 | Updated: 2024-10-02

Vulnerability identifier: #VU30256

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-20838

CWE-ID: CWE-125

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PCRE
Universal components / Libraries / Libraries used by multiple products

Vendor: PCRE

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and X or R has more than one fixed quantifier, a related issue to CVE-2019-20454.

Mitigation
Install update from vendor's website.

Vulnerable software versions

PCRE: 8.00 - 8.42

External links
https://bugs.gentoo.org/717920
https://www.pcre.org/original/changelog.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Aspera Shares

Multiple vulnerabilities in IBM Aspera Console

Multiple vulnerabilities in Red Hat Ansible Automation Platform 2.4

Multiple vulnerabilities in IBM Cloud Pak for Security (CP4S)

Splunk Enterprise update for third-party packages

Multiple vulnerabilities in OpenShift Container Platform 4.11

Multiple vulnerabilities in IBM Aspera Faspex

Multiple vulnerabilities in OpenShift Virtualization

Multiple vulnerabilities in Migration Toolkit for Containers (MTC) 1.7

Multiple vulnerabilities in OpenShift Container Platform 4.11