Out-of-bounds read in PCRE

#VU30256 Out-of-bounds read in PCRE

Cybersecurity Help s.r.o.

Published: 2020-06-15 | Updated: 2024-10-02

Vulnerability identifier: #VU30256

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-20838

CWE-ID: CWE-125

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PCRE
Universal components / Libraries / Libraries used by multiple products

Vendor: PCRE

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and X or R has more than one fixed quantifier, a related issue to CVE-2019-20454.

Mitigation
Install update from vendor's website.

Vulnerable software versions

PCRE: 8.00 - 8.42

External links
http://bugs.gentoo.org/717920
http://www.pcre.org/original/changelog.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Aspera Shares

Multiple vulnerabilities in IBM Aspera Console

Multiple vulnerabilities in Red Hat Ansible Automation Platform 2.4

Multiple vulnerabilities in IBM Cloud Pak for Security (CP4S)

Splunk Enterprise update for third-party packages

Multiple vulnerabilities in OpenShift Container Platform 4.11

Multiple vulnerabilities in IBM Aspera Faspex

Multiple vulnerabilities in OpenShift Virtualization

Multiple vulnerabilities in Migration Toolkit for Containers (MTC) 1.7

Multiple vulnerabilities in OpenShift Container Platform 4.11