cbcvebase.
CVE-2019-11034
published 2019-04-18

CVE-2019-11034: When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and 7.3.x below 7.3.4 can be caused to read past allocated…

PriorityP344critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
EPSS
4.09%
89.5th percentile
When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and 7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_process_IFD_TAG function. This may lead to information disclosure or crash.

Affected

19 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
opensuseleap
opensuseleap
opensuseleap
phpphp>= 7.1.0 < 7.1.287.1.28
phpphp>= 7.2.9 < 7.2.177.2.17
phpphp>= 7.3.0 < 7.3.47.3.4
php5php5>= 0 < 5.5.9+dfsg-1ubuntu4.29+esm15.5.9+dfsg-1ubuntu4.29+esm1
php_groupphp>= 7.1.x < 7.1.287.1.28
php_groupphp>= 7.2.x < 7.2.177.2.17
php_groupphp>= 7.3.x < 7.3.47.3.4
redhatsoftware_collections

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
nvdv3.04.8MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:P
osv9.1CRITICAL
vendor_redhat9.1CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.