Lucene search

K

PhpCVELIST:CVE-2019-11038

HistoryMay 28, 2019 - 12:00 a.m.

CVE-2019-11038 Uninitialized read in gdImageCreateFromXbm

2019-05-2800:00:00

CWE-457

php

www.cve.org

2

3.1 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

6.2 Medium

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.1%

When using the gdImageCreateFromXbm() function in the GD Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code.

CNA Affected

[
  {
    "product": "PHP",
    "vendor": "PHP Group",
    "versions": [
      {
        "status": "affected",
        "version": "7.1.x < 7.1.30"
      },
      {
        "status": "affected",
        "version": "7.2.x < 7.2.19"
      },
      {
        "status": "affected",
        "version": "7.3.x < 7.3.6"
      }
    ]
  }
]

References

lists.opensuse.org/opensuse-security-announce/2020-03/msg00020.html

access.redhat.com/errata/RHSA-2019:2519

access.redhat.com/errata/RHSA-2019:3299

bugs.debian.org/cgi-bin/bugreport.cgi?bug=929821

bugs.php.net/bug.php?id=77973

bugzilla.redhat.com/show_bug.cgi?id=1724149

bugzilla.redhat.com/show_bug.cgi?id=1724432

bugzilla.suse.com/show_bug.cgi?id=1140118

bugzilla.suse.com/show_bug.cgi?id=1140120

github.com/libgd/libgd/issues/501

lists.debian.org/debian-lts-announce/2019/06/msg00003.html

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CZ2QADQTKRHTGB2AHD7J4QQNDLBEMM6/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PKSSWFR2WPMUOIB5EN5ZM252NNEPYUTG/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAZBVK6XNYEIN7RDQXESSD63QHXPLKWL/

seclists.org/bugtraq/2019/Sep/38

usn.ubuntu.com/4316-1/

usn.ubuntu.com/4316-2/

www.debian.org/security/2019/dsa-4529

3.1 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

6.2 Medium

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.1%

Related for CVELIST:CVE-2019-11038

osv3 nvd1 redhatcve1 openvas20 veracode1 cve1 ubuntucve1 prion1 mageia1 nessus30 debian2 alpinelinux1 hackerone1 debiancve1 ubuntu2 cloudfoundry1 photon3 suse1 amazon1 ibm2 fedora3 slackware1 redhat2