CVE-2019-19204

moderate-risk
Published 2019-11-21

An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function fetch_interval_quantifier (formerly known as fetch_range_quantifier) in regparse.c, PFETCH is called without checking PEND. This leads to a heap-based buffer over-read.

Do I need to act?

~
8.9% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (5)

Oniguruma
Oniguruma

Affected Vendors

Debian Fedoraproject Oniguruma Project

References (16)

Exploit https://github.com/ManhNDd/CVE-2019-19204
Exploit https://github.com/kkos/oniguruma/issues/162
Release Notes https://github.com/kkos/oniguruma/releases/tag/v6.9.4_rc2
Third Party Advisory https://github.com/tarantula-team/CVE-2019-19204
Third Party Advisory https://lists.debian.org/debian-lts-announce/2019/12/msg00002.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://usn.ubuntu.com/4460-1/
Exploit https://github.com/ManhNDd/CVE-2019-19204
Exploit https://github.com/kkos/oniguruma/issues/162
Release Notes https://github.com/kkos/oniguruma/releases/tag/v6.9.4_rc2
Third Party Advisory https://github.com/tarantula-team/CVE-2019-19204
Third Party Advisory https://lists.debian.org/debian-lts-announce/2019/12/msg00002.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://usn.ubuntu.com/4460-1/
48
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 10/34 · Low
Exposure 12/34 · Low