PHP up to 5.6.39/7.1.25/7.2.13/7.3.0 Regular Expression regcomp.c out-of-bounds

Summaryinfo

A vulnerability, which was classified as critical, was found in PHP up to 5.6.39/7.1.25/7.2.13/7.3.0. This vulnerability affects unknown code of the file ext/mbstring/oniguruma/regcomp.c of the component Regular Expression. The manipulation results in out-of-bounds. This vulnerability is reported as CVE-2019-9023. The attack can be launched remotely. No exploit exists. You should upgrade the affected component.

Detailsinfo

A vulnerability classified as critical has been found in PHP up to 5.6.39/7.1.25/7.2.13/7.3.0 (Programming Language Software). Affected is some unknown functionality of the file ext/mbstring/oniguruma/regcomp.c of the component Regular Expression. The manipulation with an unknown input leads to a out-of-bounds vulnerability. CWE is classifying the issue as CWE-125. The product reads data past the end, or before the beginning, of the intended buffer. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:

An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcomp.c, ext/mbstring/oniguruma/regexec.c, ext/mbstring/oniguruma/regparse.c, ext/mbstring/oniguruma/enc/unicode.c, and ext/mbstring/oniguruma/src/utf32_be.c when a multibyte regular expression pattern contains invalid multibyte sequences.

The bug was discovered 02/22/2019. The weakness was disclosed 02/22/2019 (Website). The advisory is shared for download at securityfocus.com. This vulnerability is traded as CVE-2019-9023 since 02/22/2019. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. There are known technical details, but no exploit is available.

The commercial vulnerability scanner Qualys is able to test this issue with plugin 176624 (Debian Security Update for php7.0 (DSA 4398-1)).

Upgrading to version 5.6.40, 7.1.26, 7.2.14 or 7.3.1 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at SecurityFocus (BID 107156†). The entries VDB-131077, VDB-131109, VDB-131110 and VDB-131111 are pretty similar. VulDB is the best source for vulnerability data and more expert information about this specific topic.

Productinfo

Type

• Programming Language Software

Name

• PHP

Version

• 5.6.0
• 5.6.1
• 5.6.2
• 5.6.3
• 5.6.4
• 5.6.5
• 5.6.6
• 5.6.7
• 5.6.8
• 5.6.9
• 5.6.10
• 5.6.11
• 5.6.12
• 5.6.13
• 5.6.14
• 5.6.15
• 5.6.16
• 5.6.17
• 5.6.18
• 5.6.19
• 5.6.20
• 5.6.21
• 5.6.22
• 5.6.23
• 5.6.24
• 5.6.25
• 5.6.26
• 5.6.27
• 5.6.28
• 5.6.29
• 5.6.30
• 5.6.31
• 5.6.32
• 5.6.33
• 5.6.34
• 5.6.35
• 5.6.36
• 5.6.37
• 5.6.38
• 5.6.39
• 7.0
• 7.1
• 7.1.0
• 7.1.1
• 7.1.2
• 7.1.3
• 7.1.4
• 7.1.5
• 7.1.6
• 7.1.7
• 7.1.8
• 7.1.9
• 7.1.10
• 7.1.11
• 7.1.12
• 7.1.13
• 7.1.14
• 7.1.15
• 7.1.16
• 7.1.17
• 7.1.18
• 7.1.19
• 7.1.20
• 7.1.21
• 7.1.22
• 7.1.23
• 7.1.24
• 7.1.25
• 7.2
• 7.2.0
• 7.2.1
• 7.2.2
• 7.2.3
• 7.2.4
• 7.2.5
• 7.2.6
• 7.2.7
• 7.2.8
• 7.2.9
• 7.2.10
• 7.2.11
• 7.2.12
• 7.2.13
• 7.3.0

License

• open-source

Website

• Product: https://www.php.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Discussion