CVE-2019-19203

HIGH

Oniguruma 6.x <6.9.4_rc2 - Memory Corruption

Title source: llm

Description

An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function gb18030_mbc_enc_len in file gb18030.c, a UChar pointer is dereferenced without checking if it passed the end of the matched string. This leads to a heap-based buffer over-read.

Exploits (2)

nomisec WORKING POC 3 stars

by ManhNDd · poc

https://github.com/ManhNDd/CVE-2019-19203

View Code ZIP pw:eip

nomisec WORKING POC

by tarantula-team · poc

https://github.com/tarantula-team/CVE-2019-19203

View Code ZIP pw:eip

References (6)

Core 6

Core References

Release Notes x_refsource_misc

https://github.com/kkos/oniguruma/releases/tag/v6.9.4_rc2

Exploit, Patch, Third Party Advisory x_refsource_misc

https://github.com/kkos/oniguruma/issues/163

Exploit, Third Party Advisory x_refsource_misc

https://github.com/ManhNDd/CVE-2019-19203

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NO267PLHGYZSWX3XTRPKYBKD4J3YOU5V/

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V3MBNW6Z4DOXSCNWGBLQ7OA3OGUJ44WL/

Third Party Advisory x_refsource_misc

https://github.com/tarantula-team/CVE-2019-19203

Scores

CVSS v3 7.5

EPSS 0.0073

EPSS Percentile 72.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-125

Status published

Products (4)

fedoraproject/fedora 30

fedoraproject/fedora 31

oniguruma_project/oniguruma 6.9.4 rc1

oniguruma_project/oniguruma 6.0.0 - 6.9.4

Published Nov 21, 2019

Tracked Since Feb 18, 2026