CVE-2019-9025

critical
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

An issue was discovered in PHP 7.3.x before 7.3.1. An invalid multibyte string supplied as an argument to the mb_split() function in ext/mbstring/php_mbregex.c can cause PHP to execute memcpy() with a negative argument, which could read and write past buffers allocated for the data.

References

https://bugs.php.net/bug.php?id=77367

https://security.netapp.com/advisory/ntap-20190321-0001/

Details

Source: MITRE

Published: 2019-02-22

Updated: 2021-07-21

Type: CWE-119

Risk Information

CVSS v2

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 10

Severity: HIGH

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 3.9

Severity: CRITICAL

Tenable Plugins

View all (7 total)

IDNameProductFamilySeverity
140983EulerOS Virtualization for ARM 64 3.0.6.0 : php (EulerOS-SA-2020-2035)NessusHuawei Local Security Checks
critical
139977EulerOS 2.0 SP8 : php (EulerOS-SA-2020-1874)NessusHuawei Local Security Checks
critical
98245PHP 5.6.x < 5.6.40 Multiple vulnerabilitiesWeb Application ScanningComponent Vulnerability
critical
98244PHP 7.1.x < 7.1.26 Multiple vulnerabilitiesWeb Application ScanningComponent Vulnerability
critical
98243PHP 7.2.x < 7.2.14 Multiple vulnerabilitiesWeb Application ScanningComponent Vulnerability
critical
98242PHP 7.3.x < 7.3.1 Multiple vulnerabilitiesWeb Application ScanningComponent Vulnerability
critical
121475PHP 7.3.x < 7.3.1 Multiple vulnerabilities.NessusCGI abuses
critical