Information Exposure Affecting gd-progs package, versions *


Severity

Recommended
0.0
low
0
10

Based on CentOS security rating.

Threat Intelligence

EPSS
0.37% (73rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CENTOS7-GDPROGS-1992741
  • published26 Jul 2021
  • disclosed18 Jun 2019

Introduced: 18 Jun 2019

CVE-2019-11038  (opens in a new tab)
CWE-200  (opens in a new tab)

How to fix?

There is no fixed version for Centos:7 gd-progs.

NVD Description

Note: Versions mentioned in the description apply only to the upstream gd-progs package and not the gd-progs package as distributed by Centos. See How to fix? for Centos:7 relevant fixed versions and status.

When using the gdImageCreateFromXbm() function in the GD Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code.

References

CVSS Scores

version 3.1