First published: Sat Dec 29 2018(Updated: )
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcomp.c, ext/mbstring/oniguruma/regexec.c, ext/mbstring/oniguruma/regparse.c, ext/mbstring/oniguruma/enc/unicode.c, and ext/mbstring/oniguruma/src/utf32_be.c when a multibyte regular expression pattern contains invalid multibyte sequences.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/rh-php71-php | <0:7.1.30-1.el7 | 0:7.1.30-1.el7 |
redhat/rh-php72-php | <0:7.2.24-1.el7 | 0:7.2.24-1.el7 |
PHP PHP | <5.6.40 | |
PHP PHP | >=7.0.0<7.1.26 | |
PHP PHP | >=7.2.0<7.2.14 | |
PHP PHP | >=7.3.0<7.3.1 | |
Debian Debian Linux | =9.0 | |
Canonical Ubuntu Linux | =12.04 | |
Canonical Ubuntu Linux | =14.04 | |
Canonical Ubuntu Linux | =16.04 | |
Netapp Storage Automation Store | ||
openSUSE Leap | =42.3 | |
PHP PHP | <7.1.26 | 7.1.26 |
redhat/php | <5.6.40 | 5.6.40 |
redhat/php | <7.1.26 | 7.1.26 |
redhat/php | <7.2.14 | 7.2.14 |
redhat/php | <7.3.1 | 7.3.1 |
debian/php5 | ||
debian/php7.0 | ||
debian/php7.3 | ||
<5.6.40 | ||
>=7.0.0<7.1.26 | ||
>=7.2.0<7.2.14 | ||
>=7.3.0<7.3.1 | ||
=9.0 | ||
=12.04 | ||
=14.04 | ||
=16.04 | ||
=42.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
The vulnerability ID for this bug is CVE-2019-9023.
The severity of CVE-2019-9023 is critical with a score of 9.8.
The affected software for CVE-2019-9023 includes PHP versions before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1.
To fix CVE-2019-9023, update PHP to version 5.6.40, 7.1.26, 7.2.14, or 7.3.1.
You can find more information about CVE-2019-9023 at the following links: [Link 1](https://www.php.net/ChangeLog-7.php#7.1.26), [Link 2](http://git.php.net/?p=php-src.git;a=commit;h=20407d06ca3cb5eeb10f876a812b40c381574bcc), [Link 3](http://git.php.net/?p=php-src.git;a=commit;h=deb06bbb9cbb31292fc219501614a8c3ff25bb11).