CVE-2019-11034
Heap over-read in PHP EXIF extensionWhen processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and 7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_process_IFD_TAG function. This may lead to information disclosure or crash.
We have discovered 95,587 live websites that are affected by CVE-2019-11034.
Affected Software
| Product |  PHP |
| Category | Programming Languages |
| Vulnerable Domains | 95,587 live websites (1.29% of PHP install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 49 versions ( 9.66% of all versions) |
Common Weakness Enumeration
CWE-125 Out-of-bounds ReadDetails
- Published - Apr 18, 2019
- Updated - Sep 17, 2024
Credits
- Found by OSS-Fuzz in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=13723
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2019-11034 United States | 9,160 websites |
 France | 49,065 websites |
 China | 6,422 websites |
 Russia | 4,570 websites |
 Japan | 4,068 websites |
 Germany | 2,511 websites |
 Poland | 2,253 websites |
 Italy | 1,595 websites |
 Spain | 1,311 websites |
 Ukraine | 1,149 websites |
Website Distribution by TLD
Number of websites using CVE-2019-11034| .com | 37,806 websites |
| .fr | 20,491 websites |
| .ru | 3,842 websites |
| .org | 2,885 websites |
| .net | 2,760 websites |
| .be | 2,581 websites |
| .pl | 2,269 websites |
| .de | 1,677 websites |
| .it | 1,574 websites |
| .eu | 1,232 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2019-11034
Top websites that are affected by CVE-2019-11034. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *********.com | China | *,*** | |
| ****.com | China | *,*** | |
| *****.**.com | China | *,*** | |
| *****.org | United States | *,*** | |
| ********.com | United States | *,*** | |
| ********.com | United States | **,*** | |
| *****.***.tr |  Turkey | **,*** | |
| ********.com | France | **,*** | |
| ****.ru | Russia | **,*** | |
| *********.fr | France | **,*** |
FAQ
CVE-2019-11034 is Out-of-bounds Read in PHP
A total of 95,587 websites have been identified as vulnerable to CVE-2019-11034, based on global website indexing conducted by WebTechSurvey.
The PHP is affected by the CVE-2019-11034 vulnerability.
PHP versions up to 7.3.4 are vulnerable to CVE-2019-11034.
CVE-2019-11034 is resolved in version 7.3.4 of PHP.
References
- https://bugs.php.net/bug.php?id=77753
- https://usn.ubuntu.com/3953-1/
- https://usn.ubuntu.com/3953-2/
- https://security.netapp.com/advisory/ntap-20190502-0001/
- https://support.f5.com/csp/article/K44590877
- https://lists.debian.org/debian-lts-announce/2019/05/msg00035.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00010.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00012.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html
- https://access.redhat.com/errata/RHSA-2019:2519
- https://www.debian.org/security/2019/dsa-4529
- https://seclists.org/bugtraq/2019/Sep/38
- https://access.redhat.com/errata/RHSA-2019:3299