CVE-2017-9227

Public on 2017-05-24
Modified on 2024-05-16
Description
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in mbc_enc_len() during regular expression searching. Invalid handling of reg->dmin in forward_search_range() could result in an invalid pointer dereference, as an out-of-bounds read from a stack buffer.
Severity
Important severity
Important
CVSS v3 Base Score
7.5
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Core oniguruma 2023-10-12 ALAS2-2023-2311 Fixed
Amazon Linux 2023 oniguruma Not Affected
Amazon Linux 2 - Core php 2024-04-11 ALAS2-2024-2520 Fixed
Amazon Linux 1 php56 2017-08-17 ALAS-2017-871 Fixed
Amazon Linux 1 php70 2017-08-03 ALAS-2017-867 Fixed
Amazon Linux 2023 php8.1 Not Affected
Amazon Linux 2023 php8.2 Not Affected
Amazon Linux 2023 ruby3.2 Not Affected

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD CVSSv3 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD CVSSv2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P