#VU31148 Buffer overflow in PHP
Vulnerability identifier: #VU31148
Vulnerability risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-119
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
PHP
Universal components / Libraries /
Scripting languages
Vendor: PHP Group
Description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_TIFF.
Mitigation
Install update from vendor's website.
Vulnerable software versions
PHP: 7.3.0 - 7.3.2
External links
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00083.html
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00104.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html
http://bugs.php.net/bug.php?id=77509
http://lists.debian.org/debian-lts-announce/2019/03/msg00043.html
http://security.netapp.com/advisory/ntap-20190502-0007/
http://usn.ubuntu.com/3922-1/
http://usn.ubuntu.com/3922-2/
http://usn.ubuntu.com/3922-3/
http://www.debian.org/security/2019/dsa-4403
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
