Use of Uninitialized Resource

Affecting libgd2 package, versions <2.2.4-2+deb9u5

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

When using the gdImageCreateFromXbm() function in the GD Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code.

References

CVSS Score

5.3
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    None
  • Availability
    None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE
CVE-2019-11038
CWE
CWE-457 CWE-908
Snyk ID
SNYK-DEBIAN9-LIBGD2-349173
Disclosed
19 Jun, 2019
Published
09 Jun, 2019