Vulnerability Details : CVE-2019-7317
Potential exploit
png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.
Vulnerability category: Memory Corruption
Products affected by CVE-2019-7317
- cpe:2.3:a:hp:xp7_command_view:*:*:*:*:advanced:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:satellite:5.8:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_scientific_computing:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_scientific_computing:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:12.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:11.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:java_se:7u221:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:java_se:8u212:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:-:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:-:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
- cpe:2.3:a:libpng:libpng:*:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
- cpe:2.3:a:opensuse:package_hub:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:oncommand_workflow_automation:*:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:oncommand_insight:*:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:snapmanager:*:*:*:*:*:sap:*:*
- cpe:2.3:a:netapp:snapmanager:*:*:*:*:*:oracle:*:*
- cpe:2.3:a:netapp:snapmanager:3.4.2:p1:*:*:*:oracle:*:*
- cpe:2.3:a:netapp:snapmanager:3.4.2:p1:*:*:*:sap:*:*
- cpe:2.3:a:netapp:steelstore:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:e-series_santricity_management:-:*:*:*:*:vcenter:*:*
- cpe:2.3:a:netapp:e-series_santricity_storage_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:e-series_santricity_web_services:*:*:*:*:*:web_services_proxy:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:windows:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:vmware_vsphere:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:9.6:*:*:*:*:vmware_vsphere:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:9.6:*:*:*:*:windows:*:*
- cpe:2.3:a:netapp:e-series_santricity_unified_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:plug-in_for_symantec_netbackup:-:*:*:*:*:*:*:*
- cpe:2.3:a:hpe:xp7_command_view_advanced_edition_suite:*:*:*:*:*:*:*:*
Threat overview for CVE-2019-7317
Top countries where our scanners detected CVE-2019-7317
Top open port discovered on systems with this issue
53
IPs affected by CVE-2019-7317 811,569
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2019-7317!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2019-7317
0.30%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 69 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-7317
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.6
|
LOW | AV:N/AC:H/Au:N/C:N/I:N/A:P |
4.9
|
2.9
|
NIST | |
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H |
1.6
|
3.6
|
NIST |
CWE ids for CVE-2019-7317
-
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-7317
-
http://packetstormsecurity.com/files/152561/Slackware-Security-Advisory-libpng-Updates.html
Slackware Security Advisory - libpng Updates ≈ Packet StormVDB Entry;Third Party Advisory
-
https://usn.ubuntu.com/4083-1/
USN-4083-1: OpenJDK 11 vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:1269
RHSA-2019:1269 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
Oracle Critical Patch Update - July 2019Patch;Third Party Advisory
-
https://seclists.org/bugtraq/2019/May/67
Bugtraq: [SECURITY] [DSA 4451-1] thunderbird security updateIssue Tracking;Mailing List;Third Party Advisory
-
https://usn.ubuntu.com/3991-1/
USN-3991-1: Firefox vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:1265
RHSA-2019:1265 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12803
12803 - libpng-proto/png_transforms_fuzzer: Stack-use-after-return in OSS_FUZZ_png_safe_execute - oss-fuzz - MonorailIssue Tracking;Mailing List;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20190719-0005/
July 2019 Java Platform Standard Edition Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://www.debian.org/security/2019/dsa-4435
Debian -- Security Information -- DSA-4435-1 libpng1.6Third Party Advisory
-
https://seclists.org/bugtraq/2019/Apr/30
Bugtraq: [slackware-security] libpng (SSA:2019-107-01)Issue Tracking;Mailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2495
RHSA-2019:2495 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://security.gentoo.org/glsa/201908-02
libpng: Multiple vulnerabilities (GLSA 201908-02) — Gentoo securityThird Party Advisory
-
https://www.oracle.com/security-alerts/cpuApr2021.html
Oracle Critical Patch Update Advisory - April 2021Third Party Advisory
-
http://www.securityfocus.com/bid/108098
libpng CVE-2019-7317 Use After Free Denial of Service VulnerabilityNot Applicable;Third Party Advisory;VDB Entry
-
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03977en_us
HPESBST03977 rev.1 - HPE Command View Advanced Edition (CVAE), Multiple VulnerabilitiesThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2019/05/msg00032.html
[SECURITY] [DLA 1800-1] firefox-esr security updateMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:1309
RHSA-2019:1309 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00044.html
[security-announce] openSUSE-SU-2019:1912-1: important: Security updateMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2585
RHSA-2019:2585 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://github.com/glennrp/libpng/issues/275
Use after free · Issue #275 · glennrp/libpng · GitHubExploit;Issue Tracking;Third Party Advisory
-
https://www.debian.org/security/2019/dsa-4448
Debian -- Security Information -- DSA-4448-1 firefox-esrThird Party Advisory
-
https://usn.ubuntu.com/4080-1/
USN-4080-1: OpenJDK 8 vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://usn.ubuntu.com/3962-1/
USN-3962-1: libpng vulnerability | Ubuntu security noticesThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00084.html
[security-announce] openSUSE-SU-2019:1664-1: important: Security updateMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:1310
RHSA-2019:1310 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00002.html
[security-announce] openSUSE-SU-2019:1484-1: important: Security updateThird Party Advisory
-
https://www.oracle.com/security-alerts/cpuoct2021.html
Oracle Critical Patch Update Advisory - October 2021Third Party Advisory
-
https://usn.ubuntu.com/3997-1/
USN-3997-1: Thunderbird vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://seclists.org/bugtraq/2019/May/56
Bugtraq: [slackware-security] mozilla-firefox (SSA:2019-141-01)Issue Tracking;Mailing List;Third Party Advisory
-
https://seclists.org/bugtraq/2019/May/59
Bugtraq: [SECURITY] [DSA 4448-1] firefox-esr security updateIssue Tracking;Mailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:1267
RHSA-2019:1267 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2592
RHSA-2019:2592 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2494
RHSA-2019:2494 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00038.html
[security-announce] openSUSE-SU-2019:1916-1: important: Security updateMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00029.html
[security-announce] openSUSE-SU-2019:1534-1: important: Security updateMailing List;Third Party Advisory
-
https://www.debian.org/security/2019/dsa-4451
Debian -- Security Information -- DSA-4451-1 thunderbirdThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2737
RHSA-2019:2737 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://seclists.org/bugtraq/2019/Apr/36
Bugtraq: [SECURITY] [DSA 4435-1] libpng1.6 security updateIssue Tracking;Mailing List;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2019/05/msg00038.html
[SECURITY] [DLA 1806-1] thunderbird security updateMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2590
RHSA-2019:2590 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:1308
RHSA-2019:1308 - Security Advisory - Red Hat Customer PortalThird Party Advisory
Jump to