CVE-2019-11035
Heap over-read in PHP EXIF extensionWhen processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and 7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_iif_add_value function. This may lead to information disclosure or crash.
We have discovered 131,495 live websites that are affected by CVE-2019-11035.
Affected Software
| Product |  PHP |
| Category | Programming Languages |
| Vulnerable Domains | 131,495 live websites (1.51% of PHP install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 49 versions ( 8.96% of all versions) |
Common Weakness Enumeration
CWE-125 Out-of-bounds ReadDetails
- Published - Apr 18, 2019
- Updated - Sep 17, 2024
Credits
- Found by OSS-Fuzz in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=13938
CWE
CVE References
CWE References
CVE-2019-11035 usage by Country
 United States | 18,640 websites |
 France | 68,881 websites |
 China | 8,924 websites |
 Russia | 5,669 websites |
 Japan | 5,050 websites |
 Germany | 3,228 websites |
 Poland | 1,503 websites |
 Ukraine | 1,301 websites |
 GB | 1,225 websites |
 Italy | 1,225 websites |
CVE-2019-11035 usage by TLD
| .com | 54,044 websites |
| .fr | 26,759 websites |
| .ru | 5,169 websites |
| .net | 4,225 websites |
| .org | 4,199 websites |
| .be | 3,343 websites |
| .pl | 2,918 websites |
| .it | 2,642 websites |
| .de | 2,115 websites |
| .eu | 1,585 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2019-11035
Top websites that are affected by CVE-2019-11035. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *****.***.cn | China | *,*** | |
| *****.cn | China | *,*** | |
| ******.*********.com | China | *,*** | |
| *********.com | China | *,*** | |
| *****.**.com | China | *,*** | |
| *****.org | United States | *,*** | |
| ********.com | United States | *,*** | |
| ***.com | United States | *,*** | |
| ********.com | United States | **,*** | |
| *****.***.tr |  Turkey | **,*** |
FAQ
CVE-2019-11035 is Out-of-bounds Read in PHP
A total of 131,495 websites have been identified as vulnerable to CVE-2019-11035, discovered through global website indexing conducted by WebTechSurvey.
PHP is susceptible to CVE-2019-11035 vulnerability.
PHP versions before 7.3.4 are vulnerable to CVE-2019-11035.
Version 7.3.4 of PHP addresses the CVE-2019-11035 security vulnerability.
References
- https://bugs.php.net/bug.php?id=77831
- https://usn.ubuntu.com/3953-1/
- https://usn.ubuntu.com/3953-2/
- https://security.netapp.com/advisory/ntap-20190502-0001/
- https://support.f5.com/csp/article/K44590877
- https://lists.debian.org/debian-lts-announce/2019/05/msg00035.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00010.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00012.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html
- https://access.redhat.com/errata/RHSA-2019:2519
- https://www.debian.org/security/2019/dsa-4529
- https://seclists.org/bugtraq/2019/Sep/38
- https://access.redhat.com/errata/RHSA-2019:3299