Vulnerability Details : CVE-2019-7317

png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.

Vulnerability category: Memory Corruption

Published 2019-02-04 08:29:00

Updated 2022-05-23 15:02:41

Source MITRE

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2019-7317

Probability of exploitation activity in the next 30 days: 0.33%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 67 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2019-7317

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
2.6	LOW	AV:N/AC:H/Au:N/C:N/I:N/A:P	4.9	2.9	[email protected]
Access Vector: Network Access Complexity: High Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
5.3	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H	1.6	3.6	[email protected]
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2019-7317

CWE-416 Use After Free

Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

Assigned by: [email protected] (Primary)

References for CVE-2019-7317

http://packetstormsecurity.com/files/152561/Slackware-Security-Advisory-libpng-Updates.html

VDB Entry;Third Party Advisory

CVEs referencing this url
https://usn.ubuntu.com/4083-1/

Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:1269

Third Party Advisory

CVEs referencing this url
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Patch;Third Party Advisory

CVEs referencing this url
https://seclists.org/bugtraq/2019/May/67

Issue Tracking;Mailing List;Third Party Advisory

CVEs referencing this url
https://usn.ubuntu.com/3991-1/

Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1265

Third Party Advisory

CVEs referencing this url
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12803

Issue Tracking;Mailing List;Third Party Advisory
https://security.netapp.com/advisory/ntap-20190719-0005/

Third Party Advisory
https://www.debian.org/security/2019/dsa-4435

Third Party Advisory
https://seclists.org/bugtraq/2019/Apr/30

Issue Tracking;Mailing List;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:2495

Third Party Advisory

CVEs referencing this url
https://security.gentoo.org/glsa/201908-02

Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpuApr2021.html

Third Party Advisory

CVEs referencing this url
http://www.securityfocus.com/bid/108098

Not Applicable;Third Party Advisory;VDB Entry
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03977en_us

Third Party Advisory

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2019/05/msg00032.html

Mailing List;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:1309

Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00044.html

Mailing List;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:2585

Third Party Advisory

CVEs referencing this url
https://github.com/glennrp/libpng/issues/275

Exploit;Issue Tracking;Third Party Advisory
https://www.debian.org/security/2019/dsa-4448

Third Party Advisory

CVEs referencing this url
https://usn.ubuntu.com/4080-1/

Third Party Advisory

CVEs referencing this url
https://usn.ubuntu.com/3962-1/

Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00084.html

Mailing List;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:1310

Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00002.html

Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpuoct2021.html

Third Party Advisory

CVEs referencing this url
https://usn.ubuntu.com/3997-1/

Third Party Advisory

CVEs referencing this url
https://seclists.org/bugtraq/2019/May/56

Issue Tracking;Mailing List;Third Party Advisory

CVEs referencing this url
https://seclists.org/bugtraq/2019/May/59

Issue Tracking;Mailing List;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:1267

Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:2592

Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:2494

Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00038.html

Mailing List;Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00029.html

Mailing List;Third Party Advisory

CVEs referencing this url
https://www.debian.org/security/2019/dsa-4451

Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:2737

Third Party Advisory

CVEs referencing this url
https://seclists.org/bugtraq/2019/Apr/36

Issue Tracking;Mailing List;Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/05/msg00038.html

Mailing List;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:2590

Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:1308

Third Party Advisory

CVEs referencing this url

Products affected by CVE-2019-7317

HP » Xp7 Command View » Advanced Edition
Versions before (<) 8.7.0-00
cpe:2.3:a:hp:xp7_command_view:*:*:*:*:advanced:*:*:*
Matching versions
Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux » Version: 8.0
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Desktop » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Desktop » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Workstation » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Workstation » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Satellite » Version: 5.8
cpe:2.3:a:redhat:satellite:5.8:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux For Scientific Computing » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_for_scientific_computing:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux For Scientific Computing » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_for_scientific_computing:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux For Power Little Endian » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux For Power Little Endian » Version: 8.0
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux For Power Big Endian » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux For Power Big Endian » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux For Ibm Z Systems » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux For Ibm Z Systems » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux For Ibm Z Systems » Version: 8.0
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:*:*:*:*:*:*:*
Matching versions
Oracle » JDK » Version: 12.0.1
cpe:2.3:a:oracle:jdk:12.0.1:*:*:*:*:*:*:*
Matching versions
Oracle » JDK » Version: 11.0.3
cpe:2.3:a:oracle:jdk:11.0.3:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql
Versions before (<) 8.0.23
cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*
Matching versions
Oracle » Java Se » Version: 7u221
cpe:2.3:a:oracle:java_se:7u221:*:*:*:*:*:*:*
Matching versions
Oracle » Java Se » Version: 8u212
cpe:2.3:a:oracle:java_se:8u212:*:*:*:*:*:*:*
Matching versions
Oracle » Hyperion Infrastructure Technology » Version: 11.2.6.0
cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.2.6.0:*:*:*:*:*:*:*
Matching versions
Mozilla » Thunderbird » Version: N/A
cpe:2.3:a:mozilla:thunderbird:-:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox Esr » Version: N/A
cpe:2.3:a:mozilla:firefox_esr:-:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 18.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 18.10
cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 19.04
cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 16.04
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 16.04 ESM Edition
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
Matching versions
Libpng » Libpng
Versions from including (>=) 1.6.0 and before (<) 1.6.37
cpe:2.3:a:libpng:libpng:*:*:*:*:*:*:*:*
Matching versions
Opensuse » Leap » Version: 42.3
cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*
Matching versions
Opensuse » Leap » Version: 15.0
cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
Matching versions
Opensuse » Leap » Version: 15.1
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
Matching versions
Opensuse » Package Hub » Version: N/A
cpe:2.3:a:opensuse:package_hub:-:*:*:*:*:*:*:*
Matching versions
When used together with: Suse » Linux Enterprise » Version: 12.0
Netapp » Oncommand Workflow Automation
Versions before (<) 5.1
cpe:2.3:a:netapp:oncommand_workflow_automation:*:*:*:*:*:*:*:*
Matching versions
Netapp » Oncommand Insight
Versions before (<) 7.3.9
cpe:2.3:a:netapp:oncommand_insight:*:*:*:*:*:*:*:*
Matching versions
Netapp » Cloud Backup » Version: N/A
cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
Matching versions
Netapp » Snapmanager » For SAP
Versions before (<) 3.4.2
cpe:2.3:a:netapp:snapmanager:*:*:*:*:*:sap:*:*
Matching versions
Netapp » Snapmanager » For Oracle
Versions before (<) 3.4.2
cpe:2.3:a:netapp:snapmanager:*:*:*:*:*:oracle:*:*
Matching versions
Netapp » Snapmanager » Version: 3.4.2 Update P1 For Oracle
cpe:2.3:a:netapp:snapmanager:3.4.2:p1:*:*:*:oracle:*:*
Matching versions
Netapp » Snapmanager » Version: 3.4.2 Update P1 For SAP
cpe:2.3:a:netapp:snapmanager:3.4.2:p1:*:*:*:sap:*:*
Matching versions
Netapp » Steelstore » Version: N/A
cpe:2.3:a:netapp:steelstore:-:*:*:*:*:*:*:*
Matching versions
Netapp » E-series Santricity Management » Version: N/A For Vcenter
cpe:2.3:a:netapp:e-series_santricity_management:-:*:*:*:*:vcenter:*:*
Matching versions
Netapp » E-series Santricity Storage Manager
Versions before (<) 11.53
cpe:2.3:a:netapp:e-series_santricity_storage_manager:*:*:*:*:*:*:*:*
Matching versions
Netapp » E-series Santricity Web Services » For Web Services Proxy
Versions before (<) 4.0
cpe:2.3:a:netapp:e-series_santricity_web_services:*:*:*:*:*:web_services_proxy:*:*
Matching versions
Netapp » Active Iq Unified Manager » For Windows
Versions before (<) 9.6
cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:windows:*:*
Matching versions
Netapp » Active Iq Unified Manager » For Vmware Vsphere
Versions before (<) 9.6
cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:vmware_vsphere:*:*
Matching versions
Netapp » Active Iq Unified Manager » Version: 9.6 For Vmware Vsphere
cpe:2.3:a:netapp:active_iq_unified_manager:9.6:*:*:*:*:vmware_vsphere:*:*
Matching versions
Netapp » Active Iq Unified Manager » Version: 9.6 For Windows
cpe:2.3:a:netapp:active_iq_unified_manager:9.6:*:*:*:*:windows:*:*
Matching versions
Netapp » E-series Santricity Unified Manager
Versions before (<) 3.2
cpe:2.3:a:netapp:e-series_santricity_unified_manager:*:*:*:*:*:*:*:*
Matching versions
Netapp » Plug-in For Symantec Netbackup » Version: N/A
cpe:2.3:a:netapp:plug-in_for_symantec_netbackup:-:*:*:*:*:*:*:*
Matching versions
HPE » Xp7 Command View Advanced Edition Suite
Versions before (<) 8.7.0-00
cpe:2.3:a:hpe:xp7_command_view_advanced_edition_suite:*:*:*:*:*:*:*:*
Matching versions