Vulnerability CVE-2019-20838

Vulnerability Name:

CVE-2019-20838 (CCN-185645)

Assigned:

2020-04-17

Published:

2020-04-17

Updated:

2021-09-22

Summary:

libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \X or \R has more than one fixed quantifier, a related issue to CVE-2019-20454.

CVSS v3 Severity:

7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:U/RC:R)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:U/RC:R)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

7.5 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.6 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:U/RC:R)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

Vulnerability Type:

CWE-125

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2019-20838

Source: FULLDISC
Type: Mailing List, Third Party Advisory
20201215 APPLE-SA-2020-12-14-4 Additional information for APPLE-SA-2020-11-13-1 macOS Big Sur 11.0.1

Source: FULLDISC
Type: Mailing List, Third Party Advisory
20210201 APPLE-SA-2021-02-01-1 macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave

Source: CCN
Type: Gentoo's Bugzilla Bug 717920
Multiple vulnerabilities (CVE-2019-20838, CVE-2020-14155)

Source: MISC
Type: Issue Tracking, Patch, Third Party Advisory, VDB Entry
https://bugs.gentoo.org/717920

Source: XF
Type: UNKNOWN
pcre-cve201920838-dos(185645)

Source: MLIST
Type: Mailing List, Third Party Advisory
[mina-dev] 20210225 [jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar

Source: CCN
Type: Apple security document HT211931
About the security content of macOS Big Sur 11.0.1

Source: CCN
Type: Apple security document HT212147
About the security content of macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave

Source: CONFIRM
Type: Vendor Advisory
https://support.apple.com/kb/HT211931

Source: CONFIRM
Type: Vendor Advisory
https://support.apple.com/kb/HT212147

Source: CCN
Type: IBM Security Bulletin 6395492 (Tivoli Network Manager IP Edition)
A security vulnerability has been identified inPCRE, which is a required product for IBM Tivoli Network Manager IP Edition (CVE-2019-20838)

Source: CCN
Type: IBM Security Bulletin 6541298 (Cloud Pak for Automation)
Multiple security vulnerabilities fixed in Cloud Pak for Automation components

Source: CCN
Type: IBM Security Bulletin 6551876 (Cloud Pak for Security)
Cloud Pak for Security uses packages that are vulnerable to multiple CVEs

Source: CCN
Type: IBM Security Bulletin 6560126 (Sterling Connect:Direct for UNIX Certified Container)
IBM Sterling Connect:Direct for UNIX Certified Container is affected by multiple vulnerabilities in Red Hat Universal Base Image version 8.4-206.1626828523 and Binutils version 2.30-93

Source: CCN
Type: IBM Security Bulletin 6574787 (QRadar SIEM)
IBM QRadar SIEM is vulnerable to using components with Known Vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6618941 (Aspera Faspex)
IBM Aspera Faspex 4.4.2 has addressed multiple security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6856409 (Cloud Pak for Security)
IBM Cloud Pak for Security includes components with multiple known vulnerabilities

Source: CCN
Type: PCRE Web site
PCRE

Source: MISC
Type: Release Notes, Vendor Advisory
https://www.pcre.org/original/changelog.txt

Vulnerable Configuration:

Configuration 1:

cpe:/a:pcre:pcre:*:*:*:*:*:*:*:* (Version < 8.43)

Configuration 2:

cpe:/o:apple:macos:*:*:*:*:*:*:*:* (Version < 11.0.1)

Configuration RedHat 1:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:enterprise_linux:8::crb:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:8::baseos:*:*:*:*:*

Configuration CCN 1:

cpe:/a:pcre:pcre:8.43:*:*:*:*:*:*:*

AND

cpe:/a:ibm:tivoli_network_manager:3.9:*:ip:*:*:*:*:*

OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3.3:-:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_automation:21.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_automation:21.0.2:-:*:*:*:*:*:*

OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4.3:-:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.5.0:-:*:*:*:*:*:*

OR cpe:/a:ibm:aspera_faspex:4.4.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.10.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.10.6.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:7640	P	libpcre1-32bit-8.45-150000.20.13.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:51980	P	Security update for sudo (Important)	2023-01-20
oval:org.opensuse.security:def:798	P	Security update for colord (Moderate)	2022-10-04
oval:org.opensuse.security:def:3699	P	Security update for python3 (Important)	2022-07-11
oval:org.opensuse.security:def:3513	P	gstreamer-plugins-bad-1.8.3-17.2 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3054	P	dosfstools-3.0.26-6.5 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94625	P	libblkid-devel-2.37.2-150400.6.26 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94684	P	libpcre1-32bit-8.45-20.10.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:95421	P	Security update for pidgin (Important)	2022-05-17
oval:org.opensuse.security:def:35276	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:84690	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:31298	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:19617	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:59561	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:55266	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:87504	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:127189	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:33738	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:83352	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:4285	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:29443	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:57524	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:89474	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:85762	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:125100	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:31701	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:23700	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:59819	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:55968	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:88215	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:33996	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:83472	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:5149	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:30145	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:19518	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:58037	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:51688	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:86165	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:125625	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:32214	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:23992	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:60411	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:56088	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:88532	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:34588	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:84232	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:6306	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:30265	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:19568	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:58863	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:86678	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:126792	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:33040	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:82650	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:26162	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:61099	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:57121	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:89216	P	Security update for pcre (Moderate)	2021-11-10
oval:com.redhat.rhsa:def:20214373	P	RHSA-2021:4373: pcre security update (Low)	2021-11-09
oval:org.opensuse.security:def:111121	P	Security update for pcre (Moderate)	2021-11-02
oval:org.opensuse.security:def:117518	P	Security update for pcre (Moderate)	2021-10-27
oval:org.opensuse.security:def:67301	P	Security update for pcre (Moderate)	2021-10-27
oval:org.opensuse.security:def:93982	P	(Moderate)	2021-10-27
oval:org.opensuse.security:def:42134	P	Security update for pcre (Moderate)	2021-10-27
oval:org.opensuse.security:def:99155	P	(Moderate)	2021-10-27
oval:org.opensuse.security:def:6212	P	Security update for pcre (Moderate)	2021-10-27
oval:org.opensuse.security:def:64602	P	Security update for pcre (Moderate)	2021-10-27
oval:org.opensuse.security:def:93427	P	(Moderate)	2021-10-27
oval:org.opensuse.security:def:108800	P	Security update for pcre (Moderate)	2021-10-27
oval:org.opensuse.security:def:100673	P	(Moderate)	2021-10-27
oval:org.opensuse.security:def:76369	P	Security update for pcre (Moderate)	2021-10-27
oval:org.opensuse.security:def:94194	P	(Moderate)	2021-10-27
oval:org.opensuse.security:def:42232	P	Security update for pcre (Moderate)	2021-10-27
oval:org.opensuse.security:def:99690	P	(Moderate)	2021-10-27
oval:org.opensuse.security:def:73724	P	Security update for pcre (Moderate)	2021-10-27
oval:org.opensuse.security:def:64788	P	Security update for pcre (Moderate)	2021-10-27
oval:org.opensuse.security:def:93583	P	(Moderate)	2021-10-27
oval:org.opensuse.security:def:101338	P	Security update for pcre (Moderate)	2021-10-27
oval:org.opensuse.security:def:94405	P	(Moderate)	2021-10-27
oval:org.opensuse.security:def:93109	P	(Moderate)	2021-10-27
oval:org.opensuse.security:def:111765	P	Security update for pcre (Moderate)	2021-10-27
oval:org.opensuse.security:def:100008	P	(Moderate)	2021-10-27
oval:org.opensuse.security:def:73910	P	Security update for pcre (Moderate)	2021-10-27
oval:org.opensuse.security:def:66962	P	Security update for pcre (Moderate)	2021-10-27
oval:org.opensuse.security:def:93768	P	(Moderate)	2021-10-27
oval:org.opensuse.security:def:102134	P	Security update for pcre (Moderate)	2021-10-27
oval:org.opensuse.security:def:5873	P	Security update for pcre (Moderate)	2021-10-27
oval:org.opensuse.security:def:93269	P	(Moderate)	2021-10-27
oval:org.opensuse.security:def:108004	P	Security update for pcre (Moderate)	2021-10-27
oval:org.opensuse.security:def:100344	P	(Moderate)	2021-10-27
oval:org.opensuse.security:def:76030	P	Security update for pcre (Moderate)	2021-10-27

BACK