CVE-2019-11038 — MEDIUM (5.3)

Q: How severe is CVE-2019-11038?

CVE-2019-11038 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-11038?

Check the references section above for vendor advisories and patch information. Affected products include: Libgd Libgd, Php Php, Canonical Ubuntu Linux, Debian Debian Linux, Fedoraproject Fedora.

Vulnerability Description

When using the gdImageCreateFromXbm() function in the GD Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Libgd	Libgd	2.2.5
Php	Php	>= 7.1.0, < 7.1.30
Canonical	Ubuntu Linux	14.04
Debian	Debian Linux	8.0
Fedoraproject	Fedora	29
Suse	Linux Enterprise Debuginfo	11
Opensuse	Leap	15.1
Suse	Linux Enterprise Desktop	12
Suse	Linux Enterprise Server	12
Suse	Linux Enterprise Software Development Kit	12
Suse	Linux Enterprise Workstation Extension	12
Redhat	Software Collections	1.0
Redhat	Enterprise Linux	7.0

Related Weaknesses (CWE)

CWE-908 CWE-457

References

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00020.htmlMailing ListThird Party Advisory
https://access.redhat.com/errata/RHSA-2019:2519Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3299Third Party Advisory
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929821Mailing ListThird Party Advisory
https://bugs.php.net/bug.php?id=77973Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1724149ExploitIssue TrackingThird Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1724432ExploitIssue TrackingThird Party Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1140118ExploitIssue TrackingThird Party Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1140120ExploitIssue TrackingThird Party Advisory
https://github.com/libgd/libgd/issues/501ExploitThird Party Advisory
https://lists.debian.org/debian-lts-announce/2019/06/msg00003.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://seclists.org/bugtraq/2019/Sep/38Mailing ListThird Party Advisory

FAQ

What is CVE-2019-11038?

CVE-2019-11038 is a vulnerability with a CVSS score of 5.3 (MEDIUM). When using the gdImageCreateFromXbm() function in the GD Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3....

How severe is CVE-2019-11038?

CVE-2019-11038 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-11038?

Check the references section above for vendor advisories and patch information. Affected products include: Libgd Libgd, Php Php, Canonical Ubuntu Linux, Debian Debian Linux, Fedoraproject Fedora.