CVE-2019-13224
moderate-risk
Published 2019-07-10
A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.
Do I need to act?
-
0.54% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 0f7f61ed1b7b697e283e37bd2d731d0bd57adb55, 481520d3819b0b68b65539ff59b4bd2f018d6e5f, b4140bf64811b97af153a5d49a1d71677993a075, 89dc78e0f0c1a4f27b889f232b109a3919ecf478
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (7)
Affected Vendors
References (16)
Third Party Advisory
https://security.gentoo.org/glsa/201911-03
Third Party Advisory
https://support.f5.com/csp/article/K00103182
Third Party Advisory
https://usn.ubuntu.com/4088-1/
Third Party Advisory
https://security.gentoo.org/glsa/201911-03
Third Party Advisory
https://support.f5.com/csp/article/K00103182
Third Party Advisory
https://usn.ubuntu.com/4088-1/
48
/ 100
moderate-risk
Severity
32/34 · Critical
Exploitability
2/34 · Minimal
Exposure
14/34 · Moderate