CVE-2019-11050
Use-after-free in exif parsing under memory sanitizerWhen PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.
We have discovered 390,801 live websites that are affected by CVE-2019-11050.
Affected Software
| Product |  PHP |
| Category | Programming Languages |
| Vulnerable Domains | 390,801 live websites (4.48% of PHP install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 40 versions ( 7.31% of all versions) |
Common Weakness Enumeration
CWE-125 Out-of-bounds ReadDetails
- Published - Dec 23, 2019
- Updated - Sep 16, 2024
Credits
- Submitted by Nikita Popov
CWE
CVE References
CWE References
CVE-2019-11050 usage by Country
 United States | 143,557 websites |
 France | 176,164 websites |
 China | 11,020 websites |
 Germany | 8,316 websites |
 Russia | 7,655 websites |
 Japan | 3,613 websites |
 Netherlands | 3,159 websites |
 Poland | 3,083 websites |
 GB | 2,941 websites |
 Italy | 2,356 websites |
CVE-2019-11050 usage by TLD
| .com | 155,444 websites |
| .fr | 69,498 websites |
| .ru | 59,318 websites |
| .org | 14,236 websites |
| .net | 10,462 websites |
| .be | 8,180 websites |
| .pl | 6,563 websites |
| .de | 5,184 websites |
| .it | 5,022 websites |
| .eu | 3,581 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2019-11050
Top websites that are affected by CVE-2019-11050. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *.cn | China | *,*** | |
| *****.***.cn | China | *,*** | |
| *****.cn | China | *,*** | |
| *********.com | China | *,*** | |
| *******.com | United States | *,*** | |
| *****.com | United States | *,*** | |
| ******.com | United States | *,*** | |
| ***.***.edu | United States | *,*** | |
| ****.***.edu | United States | *,*** | |
| ***.****.gov | United States | *,*** |
FAQ
CVE-2019-11050 is Out-of-bounds Read in PHP
A total of 390,801 websites have been identified as vulnerable to CVE-2019-11050, discovered through global website indexing conducted by WebTechSurvey.
PHP is susceptible to CVE-2019-11050 vulnerability.
PHP versions before 7.4.1 are vulnerable to CVE-2019-11050.
Version 7.4.1 of PHP addresses the CVE-2019-11050 security vulnerability.
References
- https://bugs.php.net/bug.php?id=78793
- https://lists.debian.org/debian-lts-announce/2019/12/msg00034.html
- https://security.netapp.com/advisory/ntap-20200103-0002/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N7GCOAE6KVHYJ3UQ4KLPLTGSLX6IRVRN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWRQPYXVG43Q7DXMXH6UVWMKWGUW552F/
- https://usn.ubuntu.com/4239-1/
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00036.html
- https://seclists.org/bugtraq/2020/Feb/27
- https://www.debian.org/security/2020/dsa-4626
- https://www.debian.org/security/2020/dsa-4628
- https://seclists.org/bugtraq/2020/Feb/31
- https://seclists.org/bugtraq/2021/Jan/3
- https://www.tenable.com/security/tns-2021-14