CVE-2019-11050 - Use After Free

Severity

65%

Complexity

39%

Confidentiality

41%

When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.

When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.

CVSS 3.1 Base Score 6.5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L).

CVSS 2.0 Base Score 6.4. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P).

Demo Examples

Use After Free

CWE-416

The following example demonstrates the weakness.


               
}
free(buf3R2);

Use After Free

CWE-416

The following code illustrates a use after free error:


               
}
free(ptr);
logError("operation aborted before commit", ptr);

When an error occurs, the pointer is immediately freed. However, this pointer is later incorrectly used in the logError function.

Overview

First reported 5 years ago

2019-12-23 03:15:00

Last updated 5 years ago

2020-01-20 19:15:00

Affected Software

PHP PHP

PHP 7.4.0

7.4.0

Canonical Ubuntu Linux 12.04 ESM (Extended Security Maintenance)

12.04

Canonical Ubuntu Linux 14.04 ESM Edition

14.04

Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)

16.04

Canonical Ubuntu Linux 18.04 LTS Edition

18.04

Canonical Ubuntu Linux 19.04

19.04

Debian Linux 8.0 (Jessie)

8.0

Fedora 30

30

Fedora 31

31

References

openSUSE-SU-2020:0080

https://bugs.php.net/bug.php?id=78793

Exploit, Mailing List, Patch, Vendor Advisory

[debian-lts-announce] 20191229 [SECURITY] [DLA 2050-1] php5 security update

Mailing List, Third Party Advisory

FEDORA-2019-437d94e271

Third Party Advisory

FEDORA-2019-a54a622670

Third Party Advisory

20200218 [SECURITY] [DSA 4626-1] php7.3 security update

20200219 [SECURITY] [DSA 4628-1] php7.0 security update

https://security.netapp.com/advisory/ntap-20200103-0002/

Third Party Advisory

USN-4239-1

Third Party Advisory

DSA-4626

DSA-4628

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.