The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds write in onigenc_unicode_get_case_fold_codes_by_str() occurs during regular expression compilation. Code point 0xFFFFFFFF is not properly handled in unicode_unfold_key(). A malformed regular expression could result in 4 bytes being written off the end of a stack buffer of expand_case_fold_string() during the call to onigenc_unicode_get_case_fold_codes_by_str(), a typical stack buffer overflow.
Base Score: 7.5
Impact Score: 6.4
Exploitability Score: 10
Base Score: 9.8
Impact Score: 5.9
Exploitability Score: 3.9
cpe:2.3:a:php:php:*:*:*:*:*:oniguruma-mod:*:* versions up to 7.1.5 (inclusive)
cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:oniguruma-mod:*:* versions up to 2.4.1 (inclusive)
|121702||Photon OS 1.0: Ruby PHSA-2017-0021||Nessus||PhotonOS Local Security Checks|
|111870||Photon OS 1.0: Bindutils / Krb5 / Ruby / Sudo / Zlib PHSA-2017-0021 (deprecated)||Nessus||PhotonOS Local Security Checks|
|101745||Fedora 26 : oniguruma (2017-ee01a2ced6)||Nessus||Fedora Local Security Checks|
|100730||Fedora 25 : oniguruma (2017-60997f0d14)||Nessus||Fedora Local Security Checks|