An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c.

The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2023-0808 advisory.

  - The go command may execute arbitrary code at build time when using cgo. This may occur when running go     get on a malicious module, or when running any other command which builds untrusted code. This is can by     triggered by linker flags, specified via a #cgo LDFLAGS directive. Flags containing embedded spaces are     mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in     the argument of another flag. This only affects usage of the gccgo compiler. (CVE-2023-29405)

  - When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by     finalizing the operation with a rename from a temporary name to the final target file name.In that rename     operation, it might accidentally *widen* the permissions for the target file, leaving the updated file     accessible to more users than intended. (CVE-2022-32207)

  - decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS. (CVE-2022-38900)

  - The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
    (CVE-2022-33987)

  - Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the     name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3. (CVE-2022-37601)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Rocky Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2020:4539 advisory.

  - An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to     match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may     be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in     do_extuni_no_utf in pcre2_jit_compile.c. (CVE-2019-20454)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2020:3662 advisory.

  - Function iconv_mime_decode_headers() in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x     below 7.3.6 may perform out-of-buffer read due to integer overflow when parsing MIME headers. This may     lead to information disclosure or crash. (CVE-2019-11039)

  - When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in     PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 it is possible to supply it with     data what will cause it to read past the allocated buffer. This may lead to information disclosure or     crash. (CVE-2019-11040)

  - When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in     PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with     data what will cause it to read past the allocated buffer. This may lead to information disclosure or     crash. (CVE-2019-11041, CVE-2019-11042)

  - In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts     filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security     vulnerabilities, e.g. in applications checking paths that the code is allowed to access. (CVE-2019-11045)

  - When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in     PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what     will cause it to read past the allocated buffer. This may lead to information disclosure or crash.
    (CVE-2019-11047, CVE-2019-11050)

  - In PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18 and 7.4.x below 7.4.6, when HTTP file uploads are     allowed, supplying overly long filenames or field names could lead PHP engine to try to allocate oversized     memory storage, hit the memory limit and stop processing the request, without cleaning up temporary files     created by upload request. This potentially could lead to accumulation of uncleaned temporary files     exhausting the disk space on the target server. (CVE-2019-11048)

  - A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause     information disclosure, denial of service, or possibly code execution by providing a crafted regular     expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that     gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional     libraries for PHP and Rust. (CVE-2019-13224)

  - A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to potentially     cause denial of service by providing a crafted regular expression. Oniguruma issues often affect Ruby, as     well as common optional libraries for PHP and Rust. (CVE-2019-13225)

  - Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of recursion in regparse.c.
    (CVE-2019-16163)

  - An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function gb18030_mbc_enc_len in file     gb18030.c, a UChar pointer is dereferenced without checking if it passed the end of the matched string.
    This leads to a heap-based buffer over-read. (CVE-2019-19203)

  - An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function fetch_interval_quantifier     (formerly known as fetch_range_quantifier) in regparse.c, PFETCH is called without checking PEND. This     leads to a heap-based buffer over-read. (CVE-2019-19204)

  - Oniguruma through 6.9.3, as used in PHP 7.3.x and other products, has a heap-based buffer over-read in     str_lower_case_match in regexec.c. (CVE-2019-19246)

  - An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to     match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may     be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in     do_extuni_no_utf in pcre2_jit_compile.c. (CVE-2019-20454)

  - When using fgetss() function to read data with stripping tags, in PHP versions 7.2.x below 7.2.27, 7.3.x     below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause this function to read     past the allocated buffer. This may lead to information disclosure or crash. (CVE-2020-7059)

  - When using certain mbstring functions to convert multibyte encodings, in PHP versions 7.2.x below 7.2.27,     7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause function     mbfl_filt_conv_big5_wchar to read past the allocated buffer. This may lead to information disclosure or     crash. (CVE-2020-7060)

  - In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when using file upload     functionality, if upload progress tracking is enabled, but session.upload_progress.cleanup is set to 0     (disabled), and the file upload fails, the upload procedure would try to clean up data that does not exist     and encounter null pointer dereference, which would likely lead to a crash. (CVE-2020-7062)

  - In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive     using PharData::buildFromIterator() function, the files are added with default permissions (0666, or all     access) even if the original files on the filesystem were with more restrictive permissions. This may     result in files having more lax permissions than intended when such archive is extracted. (CVE-2020-7063)

  - In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while parsing EXIF data with     exif_read_data() function, it is possible for malicious data to cause PHP to read one byte of     uninitialized memory. This could potentially lead to information disclosure or crash. (CVE-2020-7064)

  - In PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using mb_strtolower() function with     UTF-32LE encoding, certain invalid strings could cause PHP to overwrite stack-allocated buffer. This could     lead to memory corruption, crashes and potentially code execution. (CVE-2020-7065)

  - In PHP versions 7.2.x below 7.2.29, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using get_headers()     with user-supplied URL, if the URL contains zero (\0) character, the URL will be silently truncated at it.
    This may cause some software to make incorrect assumptions about the target of the get_headers() and     possibly send some information to a wrong server. (CVE-2020-7066)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3363 advisory.

  - An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to     match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may     be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in     do_extuni_no_utf in pcre2_jit_compile.c. (CVE-2019-20454)

  - An out-of-bounds read vulnerability was discovered in the PCRE2 library in the     compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property     matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully     read in case-less matching within JIT. (CVE-2022-1586)

  - An out-of-bounds read vulnerability was discovered in the PCRE2 library in the get_recurse_data_length()     function of the pcre2_jit_compile.c file. This issue affects recursions in JIT-compiled regular     expressions caused by duplicate data transfers. (CVE-2022-1587)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:2649-1 advisory.

  - An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to     match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may     be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in     do_extuni_no_utf in pcre2_jit_compile.c. (CVE-2019-20454)

  - An out-of-bounds read vulnerability was discovered in the PCRE2 library in the get_recurse_data_length()     function of the pcre2_jit_compile.c file. This issue affects recursions in JIT-compiled regular     expressions caused by duplicate data transfers. (CVE-2022-1587)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 8 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2020:4539 advisory.

  - An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to     match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may     be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in     do_extuni_no_utf in pcre2_jit_compile.c. (CVE-2019-20454)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version MAIN 6.02, has pcre2 packages installed that are affected by a vulnerability:

  - An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to     match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may     be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in     do_extuni_no_utf in pcre2_jit_compile.c. (CVE-2019-20454)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2020:3662 advisory.

  - php: Out-of-bounds read due to integer overflow in iconv_mime_decode_headers() (CVE-2019-11039)

  - php: Buffer over-read in exif_read_data() (CVE-2019-11040)

  - php: Heap buffer over-read in exif_scan_thumbnail() (CVE-2019-11041)

  - php: Heap buffer over-read in exif_process_user_comment() (CVE-2019-11042)

  - php: DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at     that byte (CVE-2019-11045)

  - php: Information disclosure in exif_read_data() (CVE-2019-11047)

  - php: Integer wraparounds when receiving multipart forms (CVE-2019-11048)

  - php: Out of bounds read when parsing EXIF information (CVE-2019-11050)

  - oniguruma: Use-after-free in onig_new_deluxe() in regext.c (CVE-2019-13224)

  - oniguruma: NULL pointer dereference in match_at() in regexec.c (CVE-2019-13225)

  - oniguruma: Stack exhaustion in regcomp.c because of recursion in regparse.c (CVE-2019-16163)

  - oniguruma: Heap-based buffer over-read in function gb18030_mbc_enc_len in file gb18030.c (CVE-2019-19203)

  - oniguruma: Heap-based buffer over-read in function fetch_interval_quantifier in regparse.c     (CVE-2019-19204)

  - oniguruma: Heap-based buffer overflow in str_lower_case_match in regexec.c (CVE-2019-19246)

  - pcre: Out of bounds read in JIT mode when \X is used in non-UTF mode (CVE-2019-20454)

  - php: Out of bounds read in php_strip_tags_ex (CVE-2020-7059)

  - php: Global buffer-overflow in mbfl_filt_conv_big5_wchar function (CVE-2020-7060)

  - php: NULL pointer dereference in PHP session upload progress (CVE-2020-7062)

  - php: Files added to tar with Phar::buildFromIterator have all-access permissions (CVE-2020-7063)

  - php: Information disclosure in exif_read_data() function (CVE-2020-7064)

  - php: Using mb_strtolower() function with UTF-32LE encoding leads to potential code execution     (CVE-2020-7065)

  - php: Information disclosure in function get_headers (CVE-2020-7066)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has packages installed that are affected by a vulnerability as referenced in the CESA-2020:4539 advisory.

  - pcre: Out of bounds read in JIT mode when \X is used in non-UTF mode (CVE-2019-20454)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2020-4539 advisory.

    [10.32-2]
    - Fix CVE-2019-20454 (a crash when \X is used without UTF mode in a JIT)       (bug #1734468)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:4539 advisory.

    The pcre2 package contains a new generation of the Perl Compatible Regular Expression libraries for     implementing regular expression pattern matching using the same syntax and semantics as Perl.

    Security Fix(es):

    * pcre: Out of bounds read in JIT mode when \X is used in non-UTF mode (CVE-2019-20454)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Additional Changes:

    For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.3 Release Notes     linked from the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-3662 advisory.

    php     [7.3.20-1]
    - update to 7.3.20 #1856655

    php-pear     [1:1.10.9-1]
    - update PEAR to 1.10.9
    - update Archive_Tar to 1.4.7
    - update Console_Getopt to 1.4.2

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3662 advisory.

    PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.

    The following packages have been upgraded to a later upstream version: php (7.3.20). (BZ#1856655)

    Security Fix(es):

    * php: Out-of-bounds read due to integer overflow in iconv_mime_decode_headers() (CVE-2019-11039)

    * php: Buffer over-read in exif_read_data() (CVE-2019-11040)

    * php: DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at     that byte (CVE-2019-11045)

    * php: Information disclosure in exif_read_data() (CVE-2019-11047)

    * php: Integer wraparounds when receiving multipart forms (CVE-2019-11048)

    * oniguruma: Use-after-free in onig_new_deluxe() in regext.c (CVE-2019-13224)

    * oniguruma: NULL pointer dereference in match_at() in regexec.c (CVE-2019-13225)

    * oniguruma: Stack exhaustion in regcomp.c because of recursion in regparse.c (CVE-2019-16163)

    * oniguruma: Heap-based buffer over-read in function gb18030_mbc_enc_len in file gb18030.c     (CVE-2019-19203)

    * oniguruma: Heap-based buffer over-read in function fetch_interval_quantifier in regparse.c     (CVE-2019-19204)

    * pcre: Out of bounds read in JIT mode when \X is used in non-UTF mode (CVE-2019-20454)

    * php: Out of bounds read in php_strip_tags_ex (CVE-2020-7059)

    * php: Global buffer-overflow in mbfl_filt_conv_big5_wchar function (CVE-2020-7060)

    * php: NULL pointer dereference in PHP session upload progress (CVE-2020-7062)

    * php: Files added to tar with Phar::buildFromIterator have all-access permissions (CVE-2020-7063)

    * php: Information disclosure in exif_read_data() function (CVE-2020-7064)

    * php: Using mb_strtolower() function with UTF-32LE encoding leads to potential code execution     (CVE-2020-7065)

    * php: Heap buffer over-read in exif_scan_thumbnail() (CVE-2019-11041)

    * php: Heap buffer over-read in exif_process_user_comment() (CVE-2019-11042)

    * php: Out of bounds read when parsing EXIF information (CVE-2019-11050)

    * oniguruma: Heap-based buffer overflow in str_lower_case_match in regexec.c (CVE-2019-19246)

    * php: Information disclosure in function get_headers (CVE-2020-7066)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

FIx CVE-2019-20454

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the version of the pcre2 package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerability :

  - An out-of-bounds read was discovered in PCRE when the     pattern '\X' is JIT compiled and used to match     specially crafted subjects in non-UTF mode.
    Applications that use PCRE to process untrusted input     may be vulnerable to this flaw. An attacker could use     this flaw to crash the application.(CVE-2019-20454)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-202006-16 (PCRE2: Denial of service)

    PCRE2 has a flaw when handling JIT-compiled regex using the \\X pattern.
  Impact :

    An attacker could cause a possible Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

According to the version of the pcre2 packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - An out-of-bounds read was discovered in PCRE when the     pattern '\X' is JIT compiled and used to match     specially crafted subjects in non-UTF mode.
    Applications that use PCRE to process untrusted input     may be vulnerable to this flaw. An attacker could use     this flaw to crash the application.(CVE-2019-20454)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
194928	Splunk Enterprise 8.2.0 < 8.2.12, 9.0.0 < 9.0.6, 9.1.0 < 9.1.1 (SVD-2023-0808)	Nessus	CGI abuses	critical
194926	Universal Forwarder 8.2.0 < 8.2.12, 9.0.0 < 9.0.6, 9.1.0 < 9.1.1 (SVD-2023-0809)	Nessus	CGI abuses	critical
185040	Rocky Linux 8 : pcre2 (RLSA-2020:4539)	Nessus	Rocky Linux Local Security Checks	high
184972	Rocky Linux 8 : php:7.3 (RLSA-2020:3662)	Nessus	Rocky Linux Local Security Checks	critical
172599	Debian DLA-3363-1 : pcre2 - LTS security update	Nessus	Debian Local Security Checks	critical
163800	SUSE SLED15 / SLES15 Security Update : pcre2 (SUSE-SU-2022:2649-1)	Nessus	SuSE Local Security Checks	critical
157721	AlmaLinux 8 : pcre2 (ALSA-2020:4539)	Nessus	Alma Linux Local Security Checks	high
147297	NewStart CGSL MAIN 6.02 : pcre2 Vulnerability (NS-SA-2021-0070)	Nessus	NewStart CGSL Local Security Checks	high
145957	CentOS 8 : php:7.3 (CESA-2020:3662)	Nessus	CentOS Local Security Checks	critical
145872	CentOS 8 : pcre2 (CESA-2020:4539)	Nessus	CentOS Local Security Checks	high
142769	Oracle Linux 8 : pcre2 (ELSA-2020-4539)	Nessus	Oracle Linux Local Security Checks	high
142379	RHEL 8 : pcre2 (RHSA-2020:4539)	Nessus	Red Hat Local Security Checks	high
140482	Oracle Linux 8 : php:7.3 (ELSA-2020-3662)	Nessus	Oracle Linux Local Security Checks	critical
140396	RHEL 8 : php:7.3 (RHSA-2020:3662)	Nessus	Red Hat Local Security Checks	critical
138240	Fedora 31 : mingw-pcre2 (2020-b11cf352bd)	Nessus	Fedora Local Security Checks	high
137809	EulerOS Virtualization for ARM 64 3.0.6.0 : pcre2 (EulerOS-SA-2020-1702)	Nessus	Huawei Local Security Checks	high
137453	GLSA-202006-16 : PCRE2: Denial of service	Nessus	Gentoo Local Security Checks	high
135743	EulerOS 2.0 SP8 : pcre2 (EulerOS-SA-2020-1510)	Nessus	Huawei Local Security Checks	high

Detections

Analytics

CVE-2019-20454

high

Tenable Plugins

critical

critical

high

critical

critical

critical

high

high

critical

high

high

high

critical

critical

high

high

high

high