CVE-2019-13224 — Use After Free in Project Oniguruma

CWE-416 — Use After Free10 documents8 sources

Severity

9.8CRITICALNVD

EPSS

0.5%

top 32.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

PHP Canonical Ubuntu Linux Debian Linux +2 more

Timeline

PublishedJul 10

Latest updateMay 24

Description

A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDoniguruma_project/oniguruma6.9.2

▶NVDphp/php7.1.0 — 7.1.32+2

Also affects: Debian Linux 8.0, Fedora 29, 30, Ubuntu Linux 12.04, 14.04

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-p5x5-jvwg-8vjr: A use-after-free in onig_new_deluxe() in regext↗2022-05-24

▶

CVEList

CVE-2019-13224: A use-after-free in onig_new_deluxe() in regext↗2019-07-10

▶

OSV

CVE-2019-13224: A use-after-free in onig_new_deluxe() in regext↗2019-07-10

▶

📋Vendor Advisories

Ubuntu

PHP vulnerability↗2019-08-07

▶

Red Hat

oniguruma: Use-after-free in onig_new_deluxe() in regext.c↗2019-06-27

▶

Debian

CVE-2019-13224: libonig - A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows atta...↗2019

▶

💬Community

Bugzilla

CVE-2019-13224 oniguruma: use-after-free in onig_new_deluxe() in regext.c [epel-7]↗2019-07-11

▶

Bugzilla

CVE-2019-13224 oniguruma: Use-after-free in onig_new_deluxe() in regext.c↗2019-07-11

▶

Bugzilla

CVE-2019-13224 oniguruma: use-after-free in onig_new_deluxe() in regext.c [fedora-all]↗2019-07-11

▶