cbcvebase.
CVE-2019-11042
published 2019-08-09

CVE-2019-11042: When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21…

PriorityP432high7.1CVSS 3.1
AVNACLPRNUIRSUCLINAH
EPSS
4.42%
90.1th percentile
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.

Affected

21 ranges
VendorProductVersion rangeFixed in
applemac_os_x< 10.15.110.15.1
applemacos_catalina
applemacos_catalina_10.15.1_security_update_2019-001_and_security_update_2019-006
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debiandebian_linux
opensuseleap
phpphp>= 7.1.0 < 7.1.317.1.31
phpphp>= 7.2.0 < 7.2.217.2.21
phpphp>= 7.3.0 < 7.3.87.3.8
php5php5>= 0 < 5.5.9+dfsg-1ubuntu4.29+esm55.5.9+dfsg-1ubuntu4.29+esm5
php_groupphp
php_groupphp
php_groupphp
redhatsoftware_collections
tenabletenable.sc< 5.19.05.19.0

CVSS provenance

nvdv3.17.1HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
nvdv3.04.8MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:P
osv7.1HIGH
vendor_redhat7.1HIGH
vendor_ubuntu7.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.