CVE-2019-11037

In PHP imagick extension in versions between 3.3.0 and 3.4.4, writing to an array of values in ImagickKernel::fromMatrix() function did not check that the address will be within the allocated array. This could lead to out of bounds write to memory if the function is called with the data controlled by untrusted party.

CVSS v3 4.9 MEDIUM
CVSS v2.0 7.5 HIGH

4.9^/10

CVSS v3 : MEDIUM

V3 Legend

Vector : AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Exploitability : 1.4 / Impact : 3.4

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00016.html
http://www.securityfocus.com/bid/108292
https://bugs.php.net/bug.php?id=77791	Mailing List Vendor Advisory
https://github.com/CVEProject/cvelist/pull/1964
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MQ7WJA25YF2R2LRALK4QEYWUHHJPSUD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BU66V7QJKD32RXLY5J7Z5NZH4V3VV524/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FME5ZG7DDYWUPPHTTAFJB5OFFCPXYHPS/
https://seclists.org/bugtraq/2019/Nov/39
https://security.gentoo.org/glsa/202003-38
https://usn.ubuntu.com/4586-1/
https://www.debian.org/security/2019/dsa-4576
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00016.html
http://www.securityfocus.com/bid/108292
https://bugs.php.net/bug.php?id=77791	Mailing List Vendor Advisory
https://github.com/CVEProject/cvelist/pull/1964
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MQ7WJA25YF2R2LRALK4QEYWUHHJPSUD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BU66V7QJKD32RXLY5J7Z5NZH4V3VV524/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FME5ZG7DDYWUPPHTTAFJB5OFFCPXYHPS/
https://seclists.org/bugtraq/2019/Nov/39
https://security.gentoo.org/glsa/202003-38
https://usn.ubuntu.com/4586-1/
https://www.debian.org/security/2019/dsa-4576

Configurations

Configuration 1 (hide)

cpe:2.3:a:php:imagick:*:*:*:*:*:*:*:*

History

21 Nov 2024, 04:20

Type	Values Removed	Values Added
References	~~() http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00016.html -~~	() http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00016.html -
References	~~() http://www.securityfocus.com/bid/108292 -~~	() http://www.securityfocus.com/bid/108292 -
References	~~() https://bugs.php.net/bug.php?id=77791 - Mailing List, Vendor Advisory~~	() https://bugs.php.net/bug.php?id=77791 - Mailing List, Vendor Advisory
References	~~() https://github.com/CVEProject/cvelist/pull/1964 -~~	() https://github.com/CVEProject/cvelist/pull/1964 -
References	~~() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MQ7WJA25YF2R2LRALK4QEYWUHHJPSUD/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MQ7WJA25YF2R2LRALK4QEYWUHHJPSUD/ -
References	~~() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BU66V7QJKD32RXLY5J7Z5NZH4V3VV524/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BU66V7QJKD32RXLY5J7Z5NZH4V3VV524/ -
References	~~() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FME5ZG7DDYWUPPHTTAFJB5OFFCPXYHPS/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FME5ZG7DDYWUPPHTTAFJB5OFFCPXYHPS/ -
References	~~() https://seclists.org/bugtraq/2019/Nov/39 -~~	() https://seclists.org/bugtraq/2019/Nov/39 -
References	~~() https://security.gentoo.org/glsa/202003-38 -~~	() https://security.gentoo.org/glsa/202003-38 -
References	~~() https://usn.ubuntu.com/4586-1/ -~~	() https://usn.ubuntu.com/4586-1/ -
References	~~() https://www.debian.org/security/2019/dsa-4576 -~~	() https://www.debian.org/security/2019/dsa-4576 -
CVSS	v2 : ~~7.5~~ v3 : ~~9.8~~	v2 : 7.5 v3 : 4.9

07 Nov 2023, 03:02

Type	Values Removed	Values Added
References	{'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FME5ZG7DDYWUPPHTTAFJB5OFFCPXYHPS/', 'name': 'FEDORA-2019-5dc1f4100e', 'tags': [], 'refsource': 'FEDORA'} {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BU66V7QJKD32RXLY5J7Z5NZH4V3VV524/', 'name': 'FEDORA-2019-9448fa46f3', 'tags': [], 'refsource': 'FEDORA'} {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7MQ7WJA25YF2R2LRALK4QEYWUHHJPSUD/', 'name': 'FEDORA-2019-488d0f9a4b', 'tags': [], 'refsource': 'FEDORA'}	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BU66V7QJKD32RXLY5J7Z5NZH4V3VV524/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FME5ZG7DDYWUPPHTTAFJB5OFFCPXYHPS/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MQ7WJA25YF2R2LRALK4QEYWUHHJPSUD/ -

Information

Published : 2019-05-03 20:29

Updated : 2024-11-21 04:20

NVD link : CVE-2019-11037

Mitre link : CVE-2019-11037

CVE.ORG link : CVE-2019-11037

JSON object : View

Products Affected

php

imagick

CWE

CWE-787

Out-of-bounds Write

4.9 /10