CVE-2019-11038
libgd2 - security update
5.3
MEDIUM
CVSS 3.1
EPSS 10.5%
Description
When using the gdImageCreateFromXbm() function in the GD Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code.
How to fix CVE-2019-11038
To remediate CVE-2019-11038, upgrade the affected package to a fixed version below.
- —upgrade to 2.2.5-r3 or later
- —upgrade to 2.2.5-5.2 or later
- —upgrade to 2.1.0-5+deb8u13 or later
Is CVE-2019-11038 being exploited?
Moderate — EPSS is 10.5%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (3)
- from 0, < 2.2.5-r3
- from 0, < 2.2.5-5.2
- from 0, < 2.1.0-5+deb8u13
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |