Search for vulnerabilities
Vulnerability details: VCID-2bzc-1p3m-aaac
Vulnerability ID VCID-2bzc-1p3m-aaac
Aliases CVE-2019-11038
Summary When using the gdImageCreateFromXbm() function in the GD Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-908 Use of Uninitialized Resource
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
System Score Found at
generic_textual Low http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11038.html
cvssv3 3.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-11038.json
epss 0.00260 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.00322 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.00322 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.00322 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.00322 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.00322 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.00322 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.00322 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.00322 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.00322 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.00322 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.00369 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.00369 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.00369 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.00381 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.03082 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.03082 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.03604 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.03604 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.03604 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.03604 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.08396 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.09094 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.09094 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.09094 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.09094 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.09094 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.09094 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.09094 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.09212 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.09212 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.09212 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.09212 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.09212 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.09212 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.09212 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.09212 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.09212 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.09212 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.09212 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.09212 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.09212 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.09212 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.09212 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.09212 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.09212 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.09212 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.1005 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.1005 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.1005 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.1005 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.1005 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.1005 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.1005 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.1005 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.1005 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.1005 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.1005 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.1005 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.1005 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.1005 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.1005 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.1005 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.1005 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.1005 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.1005 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.1005 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.1005 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.1005 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.1005 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.1005 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.1005 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.1005 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.1005 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
epss 0.1005 https://api.first.org/data/v1/epss?cve=CVE-2019-11038
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11034
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11035
generic_textual Low https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11036
generic_textual Low https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11038
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11039
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11040
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11041
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11042
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13224
cvssv3 4 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv2 5.0 https://nvd.nist.gov/vuln/detail/CVE-2019-11038
cvssv3 5.3 https://nvd.nist.gov/vuln/detail/CVE-2019-11038
cvssv3.1 5.3 https://nvd.nist.gov/vuln/detail/CVE-2019-11038
generic_textual Low https://ubuntu.com/security/notices/USN-4316-1
generic_textual Low https://ubuntu.com/security/notices/USN-4316-2
generic_textual Low https://usn.ubuntu.com/usn/usn-4316-1
generic_textual Low https://usn.ubuntu.com/usn/usn-4316-2
Reference id Reference type URL
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00020.html
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11038.html
https://access.redhat.com/errata/RHSA-2019:2519
https://access.redhat.com/errata/RHSA-2019:3299
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-11038.json
https://api.first.org/data/v1/epss?cve=CVE-2019-11038
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929821
https://bugs.php.net/bug.php?id=77973
https://bugzilla.redhat.com/show_bug.cgi?id=1724149
https://bugzilla.redhat.com/show_bug.cgi?id=1724432
https://bugzilla.suse.com/show_bug.cgi?id=1140118
https://bugzilla.suse.com/show_bug.cgi?id=1140120
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11034
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11035
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11036
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11038
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11039
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11040
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11041
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11042
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13224
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/libgd/libgd/issues/501
https://lists.debian.org/debian-lts-announce/2019/06/msg00003.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CZ2QADQTKRHTGB2AHD7J4QQNDLBEMM6/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PKSSWFR2WPMUOIB5EN5ZM252NNEPYUTG/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAZBVK6XNYEIN7RDQXESSD63QHXPLKWL/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3CZ2QADQTKRHTGB2AHD7J4QQNDLBEMM6/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKSSWFR2WPMUOIB5EN5ZM252NNEPYUTG/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WAZBVK6XNYEIN7RDQXESSD63QHXPLKWL/
https://seclists.org/bugtraq/2019/Sep/38
https://ubuntu.com/security/notices/USN-4316-1
https://ubuntu.com/security/notices/USN-4316-2
https://usn.ubuntu.com/4316-1/
https://usn.ubuntu.com/4316-2/
https://usn.ubuntu.com/usn/usn-4316-1
https://usn.ubuntu.com/usn/usn-4316-2
https://www.debian.org/security/2019/dsa-4529
cpe:2.3:a:libgd:libgd:2.2.5:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:libgd:libgd:2.2.5:*:*:*:*:*:*:*
cpe:2.3:a:php:php:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*
cpe:2.3:a:suse:linux_enterprise_debuginfo:11:sp4:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:suse:linux_enterprise_debuginfo:11:sp4:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_desktop:12:sp4:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:suse:linux_enterprise_desktop:12:sp4:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_server:12:sp4:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:suse:linux_enterprise_server:12:sp4:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_server:12:sp5:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:suse:linux_enterprise_server:12:sp5:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:sp4:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:sp4:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:sp5:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:sp5:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_workstation_extension:12:sp4:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:suse:linux_enterprise_workstation_extension:12:sp4:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_workstation_extension:12:sp5:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:suse:linux_enterprise_workstation_extension:12:sp5:*:*:*:*:*:*
CVE-2019-11038 https://nvd.nist.gov/vuln/detail/CVE-2019-11038
No exploits are available.
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-11038.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2019-11038
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2019-11038
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2019-11038
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.64872
EPSS Score 0.00260
Published At Dec. 17, 2024, midnight
Date Actor Action Source VulnerableCode Version
There are no relevant records.