CVE-2019-11035
Heap over-read in PHP EXIF extension
When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and 7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_iif_add_value function. This may lead to information disclosure or crash.
We have discovered 239,735 live websites that are affected by CVE-2019-11035.
Affected Software
| Product |  PHP |
| Category | Programming Languages |
| Vulnerable Versions |
|
| Total Vulnerable Versions | 507 |
| Vulnerable Domains | 239,735 live websites (1.98% of PHP install base) |
Distribution by Website Rank
The diagram provides a graphic representation of the correlation between the occurrence of CVE-2019-11035 and the relative popularity of websitesDetails
- Published - Apr 1, 2019
- Updated - Nov 1, 2019
Credits
- Found by OSS-Fuzz in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=13938
CWE
CVE References
CWE References
Countries
 United States | 33,195 websites |
 France | 107,746 websites |
 China | 16,772 websites |
 Russia | 8,419 websites |
 Japan | 6,930 websites |
 Italy | 6,328 websites |
 Poland | 5,659 websites |
 Belgium | 5,225 websites |
 Korea, South | 5,176 websites |
 Germany | 4,918 websites |
TLDs
| .com | 99,913 websites |
| .fr | 48,134 websites |
| .org | 9,512 websites |
| .net | 7,487 websites |
| .ru | 6,772 websites |
| .be | 5,873 websites |
| .it | 4,539 websites |
| .pl | 4,497 websites |
| .de | 3,297 websites |
| .eu | 2,670 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redGeographical Distribution
The distribution of websites across the globe that are exposed to CVE-2019-11035 through included software libraries and plugins.References
- https://bugs.php.net/bug.php?id=77831
- https://usn.ubuntu.com/3953-1/
- https://usn.ubuntu.com/3953-2/
- https://security.netapp.com/advisory/ntap-20190502-0001/
- https://support.f5.com/csp/article/K44590877
- https://lists.debian.org/debian-lts-announce/2019/05/msg00035.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00010.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00012.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html
- https://access.redhat.com/errata/RHSA-2019:2519
- https://www.debian.org/security/2019/dsa-4529
- https://seclists.org/bugtraq/2019/Sep/38
- https://access.redhat.com/errata/RHSA-2019:3299
Websites affected by CVE-2019-11035
Top websites that are affected by CVE-2019-11035. Please click on the "Contact us" button above to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***.*****.cz |  Czech Republic | *,*** | |
| *****.***.cn | China | *,*** | |
| ***.*****.***.cn | China | *,*** | |
| *****.cn | China | *,*** | |
| ***.*****.cn | China | *,*** | |
| ******.*********.com | China | *,*** | |
| ***.*********.com | China | *,*** | |
| *.***.cn | China | *,*** | |
| ***.*.***.cn | China | *,*** | |
| ******.com | China | *,*** |