CVE-2019-11041 — HIGH (7.1)

Q: How severe is CVE-2019-11041?

CVE-2019-11041 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-11041?

Check the references section above for vendor advisories and patch information. Affected products include: Php Php, Debian Debian Linux, Canonical Ubuntu Linux, Apple Mac Os X, Opensuse Leap.

Vulnerability Description

When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.

CVSS Score

7.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Php	Php	>= 7.1.0, < 7.1.31
Debian	Debian Linux	8.0
Canonical	Ubuntu Linux	12.04
Apple	Mac Os X	< 10.15.1
Opensuse	Leap	15.0
Redhat	Software Collections	1.0
Tenable	Tenable.Sc	< 5.19.0

Related Weaknesses (CWE)

CWE-125

References

http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00019.htmlThird Party Advisory
http://seclists.org/fulldisclosure/2019/Oct/15Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2019/Oct/55Mailing ListThird Party Advisory
https://access.redhat.com/errata/RHSA-2019:3299Third Party Advisory
https://bugs.php.net/bug.php?id=78222ExploitPatchVendor Advisory
https://lists.debian.org/debian-lts-announce/2019/08/msg00010.htmlMailing ListThird Party Advisory
https://seclists.org/bugtraq/2019/Oct/9Mailing ListThird Party Advisory
https://seclists.org/bugtraq/2019/Sep/35Mailing ListThird Party Advisory
https://seclists.org/bugtraq/2019/Sep/38Mailing ListThird Party Advisory
https://security.netapp.com/advisory/ntap-20190822-0003/Third Party Advisory
https://support.apple.com/kb/HT210634Third Party Advisory
https://support.apple.com/kb/HT210722Third Party Advisory
https://usn.ubuntu.com/4097-1/Third Party Advisory
https://usn.ubuntu.com/4097-2/Third Party Advisory
https://www.debian.org/security/2019/dsa-4527Third Party Advisory

FAQ

What is CVE-2019-11041?

CVE-2019-11041 is a vulnerability with a CVSS score of 7.1 (HIGH). When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to su...

How severe is CVE-2019-11041?

CVE-2019-11041 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-11041?

Check the references section above for vendor advisories and patch information. Affected products include: Php Php, Debian Debian Linux, Canonical Ubuntu Linux, Apple Mac Os X, Opensuse Leap.