CVE-2019-11050: Use-after-free in exif parsing under memory sanitizer
First published: Thu Nov 07 2019(Updated: )
Fixed bug (Use-after-free in exif parsing under memory sanitizer). (CVE-2019-11050)
Credit: security@php.net security@php.net
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/rh-php73-php | <0:7.3.20-1.el7 | 0:7.3.20-1.el7 |
| PHP PHP | >=7.2.0<=7.2.26 | |
| PHP PHP | >=7.3.0<=7.3.13 | |
| PHP PHP | =7.4.0 | |
| Canonical Ubuntu Linux | =12.04 | |
| Canonical Ubuntu Linux | =14.04 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =19.04 | |
| Debian Debian Linux | =8.0 | |
| Fedoraproject Fedora | =30 | |
| Fedoraproject Fedora | =31 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Tenable SecurityCenter | <5.19.0 | |
| openSUSE Leap | =15.1 | |
| PHP PHP | <7.2.26 | 7.2.26 |
| redhat/php | <7.4.1 | 7.4.1 |
| redhat/php | <7.3.13 | 7.3.13 |
| redhat/php | <7.2.26 | 7.2.26 |
| debian/php5 | ||
| debian/php7.0 | ||
| debian/php7.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2019-11050 https://nvd.nist.gov/vuln/detail/CVE-2019-11050
- https://bugzilla.redhat.com/show_bug.cgi?id=1788258
- https://access.redhat.com/errata/RHSA-2020:3662
- https://access.redhat.com/errata/RHSA-2020:5275
- https://access.redhat.com/security/cve/cve-2019-11050
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00036.html
- https://bugs.php.net/bug.php?id=78793
- https://lists.debian.org/debian-lts-announce/2019/12/msg00034.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7GCOAE6KVHYJ3UQ4KLPLTGSLX6IRVRN/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWRQPYXVG43Q7DXMXH6UVWMKWGUW552F/
- https://seclists.org/bugtraq/2020/Feb/27
- https://seclists.org/bugtraq/2020/Feb/31
- https://seclists.org/bugtraq/2021/Jan/3
- https://security.netapp.com/advisory/ntap-20200103-0002/
- https://usn.ubuntu.com/4239-1/
- https://www.debian.org/security/2020/dsa-4626
- https://www.debian.org/security/2020/dsa-4628
- https://www.tenable.com/security/tns-2021-14
- https://www.php.net/ChangeLog-7.php#7.2.26 (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1788259
- http://git.php.net/?p=php-src.git;a=commit;h=c14eb8de974fc8a4d74f3515424c293bc7a40fba
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N7GCOAE6KVHYJ3UQ4KLPLTGSLX6IRVRN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWRQPYXVG43Q7DXMXH6UVWMKWGUW552F/
- https://launchpad.net/bugs/cve/CVE-2019-11050
- https://bugs.php.net/78793
- https://security-tracker.debian.org/tracker/CVE-2019-11050
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11050
- https://nvd.nist.gov/vuln/detail/CVE-2019-11050
- https://ubuntu.com/security/CVE-2019-11050
Frequently Asked Questions
What is CVE-2019-11050?
CVE-2019-11050 is a vulnerability in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13, and 7.4.0 that allows an attacker to read past the allocated buffer, potentially leading to information disclosure.
How severe is CVE-2019-11050?
CVE-2019-11050 has a severity rating of 6.5.
Which software versions are affected by CVE-2019-11050?
PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13, and 7.4.0 are affected by CVE-2019-11050.
How can I fix CVE-2019-11050?
To fix CVE-2019-11050, upgrade PHP to version 7.2.26, 7.3.13, or 7.4.1 depending on the version you are using.
Where can I find more information about CVE-2019-11050?
You can find more information about CVE-2019-11050 on the following references: [1] [2] [3]
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/php-changelog
- source/PHP
- agent/software-canonical-lookup
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-11050
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/severity
- agent/references
- agent/remedy
- agent/description
- collector/launchpad-cve
- source/Launchpad
- collector/security-tracker-debian
- source/Debian
- collector/nvd-cve
- source/NVD
- agent/author
- agent/tags
- agent/softwarecombine
- agent/event
- collector/usn-cve
- source/Ubuntu
- package-manager/redhat
- vendor/php
- canonical/php php
- version/php php/7.2.0
- version/php php/7.2.26
- version/php php/7.3.0
- version/php php/7.3.13
- version/php php/7.4.0
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/12.04
- version/canonical ubuntu linux/14.04
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/19.04
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/30
- version/fedoraproject fedora/31
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- vendor/tenable
- canonical/tenable securitycenter
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.1
- package-manager/debian