Public Date:
1708570: CVE-2019-11037 php-imagick: out-of-bounds write to memory in ImagickKernel::fromMatrix() leading to possible crash and DoS

The MITRE CVE dictionary describes this issue as:

In PHP imagick extension in versions between 3.3.0 and 3.4.4, writing to an array of values in ImagickKernel::fromMatrix() function did not check that the address will be within the allocated array. This could lead to out of bounds write to memory if the function is called with the data controlled by untrusted party.

Find out more about CVE-2019-11037 from the MITRE CVE dictionary dictionary and NIST NVD.


This vulnerability does not affect the php55-php-pecl-imagick package shipped in OpenShift Container Platform 3.4 as it does not contain the vulnerable code. The vulnerable source file, imagickkernel_class.c, was added to php-imagick in version 3.3.0. OpenShift Container Platform ships version 3.1.2 and does not contain this source file.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 7.5
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Impact None
Availability Impact High

Affected Packages State

Platform Package State
Red Hat OpenShift Container Platform 3.4 php55-php-pecl-imagick Not affected
Unless explicitly stated as not affected, all previous versions of packages in any minor update stream of a product listed here should be assumed vulnerable, although may not have been subject to full analysis.
Last Modified

CVE description copyright © 2017, The MITRE Corporation