CVE-2019-19204
published 2019-11-21CVE-2019-19204: An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function fetch_interval_quantifier (formerly known as fetch_range_quantifier) in regparse.c…
PriorityP340high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
6.89%
93.3th percentile
An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function fetch_interval_quantifier (formerly known as fetch_range_quantifier) in regparse.c, PFETCH is called without checking PEND. This leads to a heap-based buffer over-read.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | libonig | < libonig 6.9.4-1 (bookworm) | libonig 6.9.4-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| oniguruma_project | oniguruma | — | — |
| oniguruma_project | oniguruma | >= 6.0.0 < 6.9.4 | 6.9.4 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5LOW
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
libonig vulnerabilities
osv·2022-10-10·CVSS 7.5
CVE-2019-16163 [HIGH] libonig vulnerabilities
libonig vulnerabilities
It was discovered that Oniguruma incorrectly handled certain regular
expressions. An attacker could possibly use this issue to cause a denial
of service, obtain sensitive information or other unspecified impact. This issue
only affected Ubuntu 16.04 ESM and Ubuntu 18.04 ESM. (CVE-2019-16163,
CVE-2019-19012, CVE-2019-19204, CVE-2019-19246)
It was discovered that Oniguruma incorrectly handled memory when using certain
UChar pointers. An attacker could possibly use this issue to cause a denial of
service or sensitive information disclosure. (CVE-2019-19203)
GHSA
GHSA-563p-6h7j-cxg6: An issue was discovered in Oniguruma 6
ghsa_unreviewed·2022-05-24
CVE-2019-19204 [HIGH] GHSA-563p-6h7j-cxg6: An issue was discovered in Oniguruma 6
An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function fetch_interval_quantifier (formerly known as fetch_range_quantifier) in regparse.c, PFETCH is called without checking PEND. This leads to a heap-based buffer over-read.
OSV
libonig vulnerabilities
osv·2020-08-17·CVSS 7.5
CVE-2019-16163 [HIGH] libonig vulnerabilities
libonig vulnerabilities
It was discovered that Oniguruma incorrectly handled certain regular
expressions. An attacker could possibly use this issue to cause a denial
of service, obtain sensitive information or other unspecified impact.
(CVE-2019-16163, CVE-2019-19012, CVE-2019-19204, CVE-2019-19246)
OSV
CVE-2019-19204: An issue was discovered in Oniguruma 6
osv·2019-11-21·CVSS 7.5
CVE-2019-19204 [HIGH] CVE-2019-19204: An issue was discovered in Oniguruma 6
An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function fetch_interval_quantifier (formerly known as fetch_range_quantifier) in regparse.c, PFETCH is called without checking PEND. This leads to a heap-based buffer over-read.
Ubuntu
Oniguruma vulnerabilities
vendor_ubuntu·2022-10-10·CVSS 7.5
CVE-2019-19012 [HIGH] Oniguruma vulnerabilities
Title: Oniguruma vulnerabilities
Summary: Several security issues were fixed in Oniguruma.
It was discovered that Oniguruma incorrectly handled certain regular
expressions. An attacker could possibly use this issue to cause a denial
of service, obtain sensitive information or other unspecified impact. This issue
only affected Ubuntu 16.04 ESM and Ubuntu 18.04 ESM. (CVE-2019-16163,
CVE-2019-19012, CVE-2019-19204, CVE-2019-19246)
It was discovered that Oniguruma incorrectly handled memory when using certain
UChar pointers. An attacker could possibly use this issue to cause a denial of
service or sensitive information disclosure. (CVE-2019-19203)
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Oniguruma vulnerabilities
vendor_ubuntu·2020-08-17·CVSS 7.5
CVE-2019-16163 [HIGH] Oniguruma vulnerabilities
Title: Oniguruma vulnerabilities
Summary: Several security issues were fixed in Oniguruma.
It was discovered that Oniguruma incorrectly handled certain regular
expressions. An attacker could possibly use this issue to cause a denial
of service, obtain sensitive information or other unspecified impact.
(CVE-2019-16163, CVE-2019-19012, CVE-2019-19204, CVE-2019-19246)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
oniguruma: Heap-based buffer over-read in function fetch_interval_quantifier in regparse.c
vendor_redhat·2019-11-06·CVSS 7.5
CVE-2019-19204 [HIGH] CWE-125 oniguruma: Heap-based buffer over-read in function fetch_interval_quantifier in regparse.c
oniguruma: Heap-based buffer over-read in function fetch_interval_quantifier in regparse.c
An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function fetch_interval_quantifier (formerly known as fetch_range_quantifier) in regparse.c, PFETCH is called without checking PEND. This leads to a heap-based buffer over-read.
An out-of-bounds read vulnerability was found in Oniguruma in the way it handled regular expression quantifiers. A remote attacker could abuse this flaw by providing a malformed regular expression that, when processed by an application linked to Oniguruma, could possibly crash the application, resulting in a denial of service.
Package: php (Red Hat Enterprise Linux 5) - Out of support scope
Package: php53 (Red Hat Enterprise Linux 5) - Out of support scope
Debian
CVE-2019-19204: libonig - An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function fetch...
vendor_debian·2019·CVSS 7.5
CVE-2019-19204 [HIGH] CVE-2019-19204: libonig - An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function fetch...
An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function fetch_interval_quantifier (formerly known as fetch_range_quantifier) in regparse.c, PFETCH is called without checking PEND. This leads to a heap-based buffer over-read.
Scope: local
bookworm: resolved (fixed in 6.9.4-1)
bullseye: resolved (fixed in 6.9.4-1)
forky: resolved (fixed in 6.9.4-1)
sid: resolved (fixed in 6.9.4-1)
trixie: resolved (fixed in 6.9.4-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-19204 oniguruma: heap-based buffer over-read in function fetch_interval_quantifier in regparse.c [openstack-rdo]
bugzilla·2020-03-17·CVSS 7.5
CVE-2019-19204 [HIGH] CVE-2019-19204 oniguruma: heap-based buffer over-read in function fetch_interval_quantifier in regparse.c [openstack-rdo]
CVE-2019-19204 oniguruma: heap-based buffer over-read in function fetch_interval_quantifier in regparse.c [openstack-rdo]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of openstack-rdo.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Disc
Bugzilla
CVE-2019-19204 oniguruma: heap-based buffer over-read in function fetch_interval_quantifier in regparse.c [fedora-30]
bugzilla·2020-02-12·CVSS 7.5
CVE-2019-19204 [HIGH] CVE-2019-19204 oniguruma: heap-based buffer over-read in function fetch_interval_quantifier in regparse.c [fedora-30]
CVE-2019-19204 oniguruma: heap-based buffer over-read in function fetch_interval_quantifier in regparse.c [fedora-30]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-30.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Bugzilla
CVE-2019-19204 oniguruma: heap-based buffer over-read in function fetch_interval_quantifier in regparse.c [epel-7]
bugzilla·2020-02-12·CVSS 7.5
CVE-2019-19204 [HIGH] CVE-2019-19204 oniguruma: heap-based buffer over-read in function fetch_interval_quantifier in regparse.c [epel-7]
CVE-2019-19204 oniguruma: heap-based buffer over-read in function fetch_interval_quantifier in regparse.c [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use th
Bugzilla
CVE-2019-19204 oniguruma: Heap-based buffer over-read in function fetch_interval_quantifier in regparse.c
bugzilla·2020-02-12·CVSS 7.5
CVE-2019-19204 [HIGH] CVE-2019-19204 oniguruma: Heap-based buffer over-read in function fetch_interval_quantifier in regparse.c
CVE-2019-19204 oniguruma: Heap-based buffer over-read in function fetch_interval_quantifier in regparse.c
An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function fetch_interval_quantifier (formerly known as fetch_range_quantifier) in regparse.c, PFETCH is called without checking PEND. This leads to a heap-based buffer over-read.
Reference:
https://github.com/kkos/oniguruma/issues/162
https://github.com/kkos/oniguruma/releases/tag/v6.9.4_rc2
https://github.com/ManhNDd/CVE-2019-19204
https://lists.fedoraproject.org/archives/list/[email protected]/message/NO267PLHGYZSWX3XTRPKYBKD4J3YOU5V/
https://lists.fedoraproject.org/archives/list/[email protected]/message/V3MBNW6Z4DOXSCNWGBLQ7OA3OGUJ44WL/
Discussion:
Created oniguruma tr
https://github.com/ManhNDd/CVE-2019-19204https://github.com/kkos/oniguruma/issues/162https://github.com/kkos/oniguruma/releases/tag/v6.9.4_rc2https://github.com/tarantula-team/CVE-2019-19204https://lists.debian.org/debian-lts-announce/2019/12/msg00002.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NO267PLHGYZSWX3XTRPKYBKD4J3YOU5V/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V3MBNW6Z4DOXSCNWGBLQ7OA3OGUJ44WL/https://usn.ubuntu.com/4460-1/https://github.com/ManhNDd/CVE-2019-19204https://github.com/kkos/oniguruma/issues/162https://github.com/kkos/oniguruma/releases/tag/v6.9.4_rc2https://github.com/tarantula-team/CVE-2019-19204https://lists.debian.org/debian-lts-announce/2019/12/msg00002.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NO267PLHGYZSWX3XTRPKYBKD4J3YOU5V/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V3MBNW6Z4DOXSCNWGBLQ7OA3OGUJ44WL/https://usn.ubuntu.com/4460-1/
2019-11-21
Published