Search for vulnerabilities
Vulnerability details: VCID-hrzf-w26e-aaaq
Vulnerability ID VCID-hrzf-w26e-aaaq
Aliases CVE-2019-9675
Summary ** DISPUTED ** An issue was discovered in PHP 7.x before 7.1.27 and 7.3.x before 7.3.3. phar_tar_writeheaders_int in ext/phar/tar.c has a buffer overflow via a long link value. NOTE: The vendor indicates that the link value is used only when an archive contains a symlink, which currently cannot happen: "This issue allows theoretical compromise of security, but a practical attack is usually impossible."
Status Disputed
Exploitability 0.5
Weighted Severity 7.3
Risk 3.6
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-121 Stack-based Buffer Overflow
System Score Found at
generic_textual Low http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9675.html
generic_textual Low http://php.net/ChangeLog-7.php
cvssv3 3.7 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-9675.json
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00389 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00465 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00465 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00465 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00465 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00465 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00465 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00465 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00465 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00465 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.00465 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.01128 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.01128 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.01128 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.01128 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.01665 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.01865 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.01865 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.01865 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.01865 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.01865 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.01865 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.01865 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.01865 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.01865 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.01865 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.01865 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
epss 0.01865 https://api.first.org/data/v1/epss?cve=CVE-2019-9675
rhbs low https://bugzilla.redhat.com/show_bug.cgi?id=1688947
generic_textual Low https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9637
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9638
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9639
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9640
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9641
generic_textual Low https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9675
cvssv3 5.3 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv2 6.8 https://nvd.nist.gov/vuln/detail/CVE-2019-9675
cvssv3 8.1 https://nvd.nist.gov/vuln/detail/CVE-2019-9675
generic_textual Low https://ubuntu.com/security/notices/USN-3922-1
generic_textual Low https://ubuntu.com/security/notices/USN-3922-2
generic_textual Low https://ubuntu.com/security/notices/USN-3922-3
Reference id Reference type URL
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00104.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00012.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9675.html
http://php.net/ChangeLog-7.php
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-9675.json
https://api.first.org/data/v1/epss?cve=CVE-2019-9675
https://bugs.php.net/bug.php?id=77586
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9637
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9638
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9639
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9640
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9641
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9675
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://ubuntu.com/security/notices/USN-3922-1
https://ubuntu.com/security/notices/USN-3922-2
https://ubuntu.com/security/notices/USN-3922-3
https://usn.ubuntu.com/3922-2/
https://usn.ubuntu.com/3922-3/
1688947 https://bugzilla.redhat.com/show_bug.cgi?id=1688947
cpe:2.3:a:php:php:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*
CVE-2019-9675 https://nvd.nist.gov/vuln/detail/CVE-2019-9675
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-9675.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2019-9675
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2019-9675
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.57148
EPSS Score 0.00389
Published At March 28, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2024-09-22T01:45:00.053347+00:00 NVD CVE Status Improver Improve https://cveawg.mitre.org/api/cve/CVE-2019-9675 34.0.1