CVE-2019-11035

Name
CVE-2019-11035
Description
When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and 7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_iif_add_value function. This may lead to information disclosure or crash.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Exploit https://bugs.php.net/bug.php?id=77831
Third Party Advisory https://usn.ubuntu.com/3953-1/
Third Party Advisory https://usn.ubuntu.com/3953-2/
Patch https://security.netapp.com/advisory/ntap-20190502-0001/
Third Party Advisory https://support.f5.com/csp/article/K44590877
Mailing List https://lists.debian.org/debian-lts-announce/2019/05/msg00035.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00012.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00010.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html
Third Party Advisory https://access.redhat.com/errata/RHSA-2019:2519
Mailing List https://seclists.org/bugtraq/2019/Sep/38
Third Party Advisory https://www.debian.org/security/2019/dsa-4529
Third Party Advisory https://access.redhat.com/errata/RHSA-2019:3299

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:php:php:*:*:*:*:*:*:*:* php >= 7.2.9 < 7.2.17
cpe:2.3:a:php:php:*:*:*:*:*:*:*:* php >= 7.3.0 < 7.3.4
cpe:2.3:a:php:php:*:*:*:*:*:*:*:* php >= 7.1.0 < 7.1.28

Vulnerable and fixed packages

Source package Branch Version Maintainer Status