VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-mpjk-r7xj-aaaq

Essentials
Severities (100)
References (21)
Severity details (6)
Exploits (0)
EPSS
History (0)

Vulnerability ID	VCID-mpjk-r7xj-aaaq
Aliases	CVE-2019-19246
Summary	Oniguruma through 6.9.3, as used in PHP 7.3.x and other products, has a heap-based buffer over-read in str_lower_case_match in regexec.c.
Status	Published
Exploitability	0.5
Weighted Severity	6.8
Risk	3.4
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-125

Out-of-bounds Read

System	Score	Found at
rhas	Moderate	https://access.redhat.com/errata/RHSA-2020:3662
rhas	Moderate	https://access.redhat.com/errata/RHSA-2020:5275
cvssv3	4.8	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-19246.json
cvssv3	6.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-19246.json
epss	0.00175	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00175	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00175	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00175	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00175	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00175	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00276	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00276	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00276	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00276	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00312	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00312	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00312	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00312	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00312	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00312	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00399	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00399	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00399	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00399	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00399	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00399	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00399	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00399	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00399	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00399	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00485	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
epss	0.00565	https://api.first.org/data/v1/epss?cve=CVE-2019-19246
rhbs	low	https://bugzilla.redhat.com/show_bug.cgi?id=1777537
cvssv3.1	7.5	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv2	5.0	https://nvd.nist.gov/vuln/detail/CVE-2019-19246
cvssv3	7.5	https://nvd.nist.gov/vuln/detail/CVE-2019-19246
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2019-19246

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-19246.json
		https://api.first.org/data/v1/epss?cve=CVE-2019-19246
		https://bugs.php.net/bug.php?id=78559
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19246
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/kkos/oniguruma/commit/d3e402928b6eb3327f8f7d59a9edfa622fec557b
		https://lists.debian.org/debian-lts-announce/2019/12/msg00002.html
		https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NO267PLHGYZSWX3XTRPKYBKD4J3YOU5V/
		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NO267PLHGYZSWX3XTRPKYBKD4J3YOU5V/
		https://usn.ubuntu.com/4460-1/
1777537		https://bugzilla.redhat.com/show_bug.cgi?id=1777537
946344		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946344
cpe:2.3:a:oniguruma_project:oniguruma::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oniguruma_project:oniguruma::::::::
cpe:2.3:a:php:php::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:php:php::::::::
cpe:2.3:o:canonical:ubuntu_linux:14.04::::esm:::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:14.04::::esm:::
cpe:2.3:o:debian:debian_linux:8.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:::::::*
cpe:2.3:o:fedoraproject:fedora:31:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:31:::::::*
CVE-2019-19246		https://nvd.nist.gov/vuln/detail/CVE-2019-19246
RHSA-2020:3662		https://access.redhat.com/errata/RHSA-2020:3662
RHSA-2020:5275		https://access.redhat.com/errata/RHSA-2020:5275
USN-USN-5662-1		https://usn.ubuntu.com/USN-5662-1/

No exploits are available.

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-19246.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-19246.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2019-19246

Exploitability (E)	Access Vector (AV)	Access Complexity (AC)	Authentication (Au)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
high functional unproven proof_of_concept not_defined	local adjacent_network network	high medium low	multiple single none	none partial complete	none partial complete	none partial complete

Exploitability (E)

Access Vector (AV)

Access Complexity (AC)

Authentication (Au)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

partial

complete

none

partial

complete

none

partial

complete

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2019-19246

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2019-19246

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.35693
EPSS Score	0.00175
Published At	March 28, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
There are no relevant records.