cbcvebase.
CVE-2019-11047
published 2019-12-23

CVE-2019-11047: When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13…

PriorityP337medium6.5CVSS 3.1
AVNACLPRNUINSUCLINAL
EPSS
7.47%
93.7th percentile
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.

Affected

18 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debiandebian_linux
fedoraprojectfedora
fedoraprojectfedora
phpphp
phpphp>= 7.2.0 < 7.2.267.2.26
phpphp>= 7.3.0 < 7.3.137.3.13
php5php5>= 0 < 5.5.9+dfsg-1ubuntu4.29+esm85.5.9+dfsg-1ubuntu4.29+esm8
php_groupphp>= 7.2.x < 7.2.267.2.26
php_groupphp>= 7.3.x < 7.3.137.3.13
php_groupphp>= 7.4.x < 7.4.17.4.1

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:P
osv6.5MEDIUM
vendor_redhat4.8MEDIUM
vendor_ubuntu3.7LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.