CVE-2019-20454

Published: 2/14/2020 Last updated: 8/5/2024 Reserved: 2/14/2020

An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c.

CNA assigner: mitre (8254265b-2729-46b6-b9e3-3dfca2d5bfca) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.0	5.1	Medium	CVSS:3.0/AC:H/AV:L/A:H/C:N/I:N/PR:N/S:U/UI:N

Opam packages affected (3)

conf-libpcre2-8 conf-mingw-w64-pcre2-i686 conf-mingw-w64-pcre2-x86_64

Products affected (1)

Product	Vendor	Version
n/a	n/a	n/a

References (14)

https://bugs.exim.org/show_bug.cgi?id=2421
https://bugs.php.net/bug.php?id=78338
https://vcs.pcre.org/pcre2?view=revision&revision=1092
https://bugzilla.redhat.com/show_bug.cgi?id=1735494
https://security.gentoo.org/glsa/202006-16
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQRAHYHLRNMBTPR3KXVM27NSZP3KTOPI/
https://lists.debian.org/debian-lts-announce/2023/03/msg00014.html
https://bugs.exim.org/show_bug.cgi?id=2421
https://bugs.php.net/bug.php?id=78338
https://vcs.pcre.org/pcre2?view=revision&revision=1092
https://bugzilla.redhat.com/show_bug.cgi?id=1735494
https://security.gentoo.org/glsa/202006-16
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQRAHYHLRNMBTPR3KXVM27NSZP3KTOPI/
https://lists.debian.org/debian-lts-announce/2023/03/msg00014.html