CVE-2019-13224 — CRITICAL (9.8)

Q: How severe is CVE-2019-13224?

CVE-2019-13224 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2019-13224?

Check the references section above for vendor advisories and patch information. Affected products include: Oniguruma Project Oniguruma, Php Php, Fedoraproject Fedora, Debian Debian Linux, Canonical Ubuntu Linux.

Vulnerability Description

A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Oniguruma Project	Oniguruma	6.9.2
Php	Php	>= 7.1.0, < 7.1.32
Fedoraproject	Fedora	29
Debian	Debian Linux	8.0
Canonical	Ubuntu Linux	12.04

Related Weaknesses (CWE)

CWE-416

References

https://github.com/kkos/oniguruma/commit/0f7f61ed1b7b697e283e37bd2d731d0bd57adb5PatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2019/07/msg00013.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/201911-03Third Party Advisory
https://support.f5.com/csp/article/K00103182Third Party Advisory
https://support.f5.com/csp/article/K00103182?utm_source=f5support&amp%3Butm_medi
https://usn.ubuntu.com/4088-1/Third Party Advisory
https://github.com/kkos/oniguruma/commit/0f7f61ed1b7b697e283e37bd2d731d0bd57adb5PatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2019/07/msg00013.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/201911-03Third Party Advisory
https://support.f5.com/csp/article/K00103182Third Party Advisory
https://support.f5.com/csp/article/K00103182?utm_source=f5support&amp%3Butm_medi

FAQ

What is CVE-2019-13224?

CVE-2019-13224 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted ...

How severe is CVE-2019-13224?

CVE-2019-13224 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2019-13224?

Check the references section above for vendor advisories and patch information. Affected products include: Oniguruma Project Oniguruma, Php Php, Fedoraproject Fedora, Debian Debian Linux, Canonical Ubuntu Linux.