CVE-2019-13225
published 2019-07-10CVE-2019-13225: A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to potentially cause denial of service by providing a crafted regular…
PriorityP425medium6.5CVSS 3.1
AVNACLPRNUIRSUCNINAH
EPSS
2.13%
79.6th percentile
A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to potentially cause denial of service by providing a crafted regular expression. Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libonig | < libonig 6.9.2-1 (bookworm) | libonig 6.9.2-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| oniguruma_project | oniguruma | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv6.5MEDIUM
vendor_debian6.5LOW
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cc6v-h3w4-jf38: A NULL Pointer Dereference in match_at() in regexec
ghsa_unreviewed·2022-05-24
CVE-2019-13225 [MEDIUM] GHSA-cc6v-h3w4-jf38: A NULL Pointer Dereference in match_at() in regexec
A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to potentially cause denial of service by providing a crafted regular expression. Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.
OSV
CVE-2019-13225: A NULL Pointer Dereference in match_at() in regexec
osv·2019-07-10·CVSS 6.5
CVE-2019-13225 [MEDIUM] CVE-2019-13225: A NULL Pointer Dereference in match_at() in regexec
A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to potentially cause denial of service by providing a crafted regular expression. Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.
Red Hat
oniguruma: NULL pointer dereference in match_at() in regexec.c
vendor_redhat·2019-06-27·CVSS 6.5
CVE-2019-13225 [MEDIUM] CWE-476 oniguruma: NULL pointer dereference in match_at() in regexec.c
oniguruma: NULL pointer dereference in match_at() in regexec.c
A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to potentially cause denial of service by providing a crafted regular expression. Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.
Statement: The version of Oniguruma package as shipped with Red Hat Enterprise Linux 6 is not affected by this issue. The issue resides on the way 'If/Else' statements are handled by Oniguruma which is not supported by Red Hat Enterprise Linux 6.
Package: php (Red Hat Enterprise Linux 5) - Not affected
Package: php53 (Red Hat Enterprise Linux 5) - Not affected
Package: oniguruma (Red Hat Enterprise Linux 6) - Not affected
Package: php (Red Hat Enterprise Linux 6)
Debian
CVE-2019-13225: libonig - A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows ...
vendor_debian·2019·CVSS 6.5
CVE-2019-13225 [MEDIUM] CVE-2019-13225: libonig - A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows ...
A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to potentially cause denial of service by providing a crafted regular expression. Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.
Scope: local
bookworm: resolved (fixed in 6.9.2-1)
bullseye: resolved (fixed in 6.9.2-1)
forky: resolved (fixed in 6.9.2-1)
sid: resolved (fixed in 6.9.2-1)
trixie: resolved (fixed in 6.9.2-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-13225 oniguruma: NULL pointer dereference in match_at() in regexec.c
bugzilla·2019-07-11·CVSS 6.5
CVE-2019-13225 [MEDIUM] CVE-2019-13225 oniguruma: NULL pointer dereference in match_at() in regexec.c
CVE-2019-13225 oniguruma: NULL pointer dereference in match_at() in regexec.c
A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to potentially cause denial of service by providing a crafted regular expression. Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.
Upstream commit:
https://github.com/kkos/oniguruma/commit/c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c
Discussion:
Created oniguruma tracking bugs for this issue:
Affects: epel-7 [bug 1728967]
Affects: fedora-all [bug 1728966]
---
(In reply to Dhananjay Arunesh from comment #0)
> A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2
> allows attackers to potentially cause denial of service by providing a
> crafted regular expression.
Bugzilla
CVE-2019-13225 oniguruma: null-pointer dereference in match_at() in regexec.c [epel-7]
bugzilla·2019-07-11·CVSS 6.5
CVE-2019-13225 [MEDIUM] CVE-2019-13225 oniguruma: null-pointer dereference in match_at() in regexec.c [epel-7]
CVE-2019-13225 oniguruma: null-pointer dereference in match_at() in regexec.c [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for
Bugzilla
CVE-2019-13225 oniguruma: null-pointer dereference in match_at() in regexec.c [fedora-all]
bugzilla·2019-07-11·CVSS 6.5
CVE-2019-13225 [MEDIUM] CVE-2019-13225 oniguruma: null-pointer dereference in match_at() in regexec.c [fedora-all]
CVE-2019-13225 oniguruma: null-pointer dereference in match_at() in regexec.c [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple suppo
https://github.com/kkos/oniguruma/commit/c509265c5f6ae7264f7b8a8aae1cfa5fc59d108chttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWCPDTZOIUKGMFAD5NAKUB7FPJFAIQN5/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNL26OZSQRVLEO6JRNUVIMZTICXBNEQW/https://security.gentoo.org/glsa/201911-03https://github.com/kkos/oniguruma/commit/c509265c5f6ae7264f7b8a8aae1cfa5fc59d108chttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWCPDTZOIUKGMFAD5NAKUB7FPJFAIQN5/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNL26OZSQRVLEO6JRNUVIMZTICXBNEQW/https://security.gentoo.org/glsa/201911-03
2019-07-10
Published