PHP EXIF exif_process_IFD_in_MAKERNOTE Arbitrary Code Execution Vulnerability



A vulnerability in the EXIF component of PHP could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.

The vulnerability is in the exif_process_IFD_in_MAKERNOTE method, as defined in the ext/exif/exif.c source code file of the affected software, and is due to an uninitialized read memory operation error by the affected software when handling the data_len variable. An attacker could exploit this vulnerability by sending requests that submit malicious input to the affected software. A successful exploit could allow the attacker to execute arbitrary code and compromise the targeted system completely.

The PHP Project has confirmed the vulnerability and released software updates.

Security Impact Rating: Critical

CVE: CVE-2019-9639

Source:: Cisco Multivendor Vulnerability Alerts