cbcvebase.
CVE-2019-13224
published 2019-07-10

CVE-2019-13224: A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or…

PriorityP345critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
4.05%
89.4th percentile
A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.

Affected

10 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debianlibonig< libonig 6.9.2-1 (bookworm)libonig 6.9.2-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
oniguruma_projectoniguruma
phpphp>= 7.1.0 < 7.1.327.1.32
phpphp>= 7.2.0 < 7.2.237.2.23
phpphp>= 7.3.0 < 7.3.97.3.9

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8LOW
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.