VDB
CVE-2019-9023
CVE-2019-9023
PUBLISHED
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcomp.c, ext/mbstring/oniguruma/regexec.c, ext/mbstring/oniguruma/regparse.c, ext/mbstring/oniguruma/enc/unicode.c, and ext/mbstring/oniguruma/src/utf32_be.c when a multibyte regular expression pattern contains invalid multibyte sequences.
EPSS 10.50% · 93.4th percentile
Risk Scores
EPSS Score
10.50%
93.4th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:16.04:LTS | php7.0 | 7.0.18-0ubuntu0.16.04.1, 7.0.3-3, 7.0.30-0ubuntu0.16.04.1 |
| Ubuntu:14.04:LTS | php5 | *, 5.5.9+dfsg-1ubuntu4.22, * |
| Ubuntu:18.04:LTS | php7.2 | 7.2.3-1ubuntu1, 7.2.7-0ubuntu0.18.04.2, 7.2.7-0ubuntu0.18.04.1 |
Exploit Intelligence
- CIRCL seen: CVE-2019-9023 (circl-sighting)
- openSUSE-SU-2019:1572 (circl)
- https://support.f5.com/csp/article/K06372014 (circl)
- RHSA-2019:3299 (circl)
- RHSA-2019:2519 (circl)
- openSUSE-SU-2019:1573 (circl)
- openSUSE-SU-2019:1293 (circl)
- USN-3902-2 (circl)
- DSA-4398 (circl)
- USN-3902-1 (circl)
…and 13 more exploits
Timeline
- CVE Published
- Nov 9, 2020 PoC Published
- Apr 14, 2021 EPSS Score
- Feb 4, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- Dec 17, 2024 EPSS Score
- Mar 17, 2025 EPSS Score
- Mar 30, 2025 EPSS Score
- Apr 8, 2025 EPSS Score
- May 4, 2025 EPSS Score
- May 30, 2025 EPSS Score
- Jun 3, 2025 EPSS Score
References
- https://ubuntu.com/security/CVE-2019-9023 third-party-advisory
- https://ubuntu.com/security/notices/USN-3902-1 vendor-advisory
- https://ubuntu.com/security/notices/USN-3902-2 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2019-9023 third-party-advisory