CVE-2019-7317 — MEDIUM (5.3)

Q: What is CVE-2019-7317?

CVE-2019-7317 is a vulnerability with a CVSS score of 5.3 (MEDIUM). png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.

Q: How severe is CVE-2019-7317?

CVE-2019-7317 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-7317?

Check the references section above for vendor advisories and patch information. Affected products include: Libpng Libpng, Debian Debian Linux, Canonical Ubuntu Linux, Oracle Hyperion Infrastructure Technology, Oracle Java Se.

Vulnerability Description

png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Libpng	Libpng	>= 1.6.0, < 1.6.37
Debian	Debian Linux	8.0
Canonical	Ubuntu Linux	16.04
Oracle	Hyperion Infrastructure Technology	11.2.6.0
Oracle	Java Se	7u221
Oracle	Jdk	11.0.3
Oracle	Mysql	< 8.0.23
Hp	Xp7 Command View	< 8.7.0-00
Hpe	Xp7 Command View Advanced Edition Suite	< 8.7.0-00
Mozilla	Firefox	-
Mozilla	Thunderbird	-
Opensuse	Leap	15.0
Opensuse	Package Hub	-
Suse	Linux Enterprise	12.0
Netapp	Active Iq Unified Manager	< 9.6
Netapp	Cloud Backup	-
Netapp	E-Series Santricity Management	-
Netapp	E-Series Santricity Storage Manager	< 11.53
Netapp	E-Series Santricity Unified Manager	< 3.2
Netapp	E-Series Santricity Web Services	< 4.0

Related Weaknesses (CWE)

CWE-416

References

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00002.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00029.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00084.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00038.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00044.htmlMailing ListThird Party Advisory
http://packetstormsecurity.com/files/152561/Slackware-Security-Advisory-libpng-UThird Party AdvisoryVDB Entry
http://www.securityfocus.com/bid/108098Not ApplicableThird Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2019:1265Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1267Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1269Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1308Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1309Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1310Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2494Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2495Third Party Advisory

FAQ

What is CVE-2019-7317?

CVE-2019-7317 is a vulnerability with a CVSS score of 5.3 (MEDIUM). png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.

How severe is CVE-2019-7317?

CVE-2019-7317 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-7317?

Check the references section above for vendor advisories and patch information. Affected products include: Libpng Libpng, Debian Debian Linux, Canonical Ubuntu Linux, Oracle Hyperion Infrastructure Technology, Oracle Java Se.