PT-2019-5049 · Oniguruma+8 · Oniguruma+8

Kkos

·

Published

2019-06-27

·

Updated

2024-06-15

·

CVE-2019-13224

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Oniguruma version 6.9.2
Description A use-after-free issue in the onig new deluxe() function in regext.c allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig new deluxe(). This issue may affect Ruby, as well as common optional libraries for PHP and Rust.
Recommendations For Oniguruma version 6.9.2, consider updating to a newer version to mitigate the risk, however, at the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting the use of the onig new deluxe() function until a patch is available. Avoid using multi-byte encoding in regex patterns and strings handled by onig new deluxe() until the issue is resolved.

Exploit

DoS

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-416

Related Identifiers

ALSA-2020:3662
ALSA-2024:0889
ALT-PU-2019-2455
ALT-PU-2019-2879
ALT-PU-2019-2906
ALT-PU-2019-3215
ALT-PU-2020-2429
ALT-PU-2020-2430
BDU:2020-01691
CESA-2020_3662
CESA-2024_0889
CVE-2019-13224
DLA-1854-1
DLA-2431-1
DSA-4527-1
DSA-4529-1
MGASA-2019-0253
MGASA-2020-0029
OPENSUSE-SU-2022_3327-1
OPENSUSE-SU-2024:11111-1
RHSA-2020:3662
RHSA-2020_3662
RHSA-2024:0409
RHSA-2024:0572
RHSA-2024:0889
RHSA-2024_0889
RLSA-2020:3662
SUSE-SU-2022:3327-1
USN-4088-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Oniguruma
Red Hat
Rocky Linux
Suse
Ubuntu