CVE-2019-11036
Heap over-read in PHP EXIF extension
When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.29, 7.2.x below 7.2.18 and 7.3.x below 7.3.5 can be caused to read past allocated buffer in exif_process_IFD_TAG function. This may lead to information disclosure or crash.
We have discovered 248,615 live websites that are affected by CVE-2019-11036.
Affected Software
| Product |  PHP |
| Category | Programming Languages |
| Vulnerable Versions |
|
| Total Vulnerable Versions | 507 |
| Vulnerable Domains | 248,615 live websites (2.06% of PHP install base) |
Distribution by Website Rank
The diagram provides a graphic representation of the correlation between the occurrence of CVE-2019-11036 and the relative popularity of websitesDetails
- Published - Apr 30, 2019
- Updated - Nov 1, 2019
Credits
- Discovered by OSS-fuzz in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14050
CWE
CVE References
CWE References
Countries
 United States | 35,517 websites |
 France | 107,981 websites |
 China | 18,367 websites |
 Russia | 9,313 websites |
 Japan | 7,233 websites |
 Italy | 6,410 websites |
 Poland | 5,737 websites |
 Korea, South | 5,308 websites |
 Belgium | 5,269 websites |
 Germany | 5,144 websites |
TLDs
| .com | 103,790 websites |
| .fr | 48,200 websites |
| .org | 9,794 websites |
| .net | 7,759 websites |
| .ru | 7,579 websites |
| .be | 5,913 websites |
| .it | 4,594 websites |
| .pl | 4,548 websites |
| .de | 3,438 websites |
| .cn | 2,919 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redGeographical Distribution
The distribution of websites across the globe that are exposed to CVE-2019-11036 through included software libraries and plugins.References
- https://bugs.php.net/bug.php?id=77950
- http://www.securityfocus.com/bid/108177
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3BY2XUUAN277LS7HKAOGL4DVGAELOJV3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2NFXYNCXZCPYT7ZN4ZLI5EPQQW44FRRO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WN2HLPGEZEF4MFM5YC5FILZB5QEQFP3A/
- https://security.netapp.com/advisory/ntap-20190517-0003/
- https://usn.ubuntu.com/3566-2/
- https://lists.debian.org/debian-lts-announce/2019/05/msg00035.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00010.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00012.html
- https://usn.ubuntu.com/4009-1/
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html
- https://access.redhat.com/errata/RHSA-2019:2519
- https://seclists.org/bugtraq/2019/Sep/35
- https://www.debian.org/security/2019/dsa-4527
- https://www.debian.org/security/2019/dsa-4529
- https://seclists.org/bugtraq/2019/Sep/38
- https://access.redhat.com/errata/RHSA-2019:3299
Websites affected by CVE-2019-11036
Top websites that are affected by CVE-2019-11036. Please click on the "Contact us" button above to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***.*****.cz |  Czech Republic | *,*** | |
| *****.***.cn | China | *,*** | |
| ***.*****.***.cn | China | *,*** | |
| *****.cn | China | *,*** | |
| ***.*****.cn | China | *,*** | |
| ******.*********.com | China | *,*** | |
| ***.*********.com | China | *,*** | |
| *.***.cn | China | *,*** | |
| ***.*.***.cn | China | *,*** | |
| ******.com | China | *,*** |