{"id":"CVE-2019-11455","details":"A buffer over-read in Util_urlDecode in util.c in Tildeslash Monit before 5.25.3 allows a remote authenticated attacker to retrieve the contents of adjacent memory via manipulation of GET or POST parameters. The attacker can also cause a denial of service (application outage).","modified":"2026-04-16T00:11:55.076786570Z","published":"2019-04-22T16:29:01.600Z","database_specific":{"unresolved_ranges":[{"extracted_events":[{"last_affected":"18.10"}],"cpe":"cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"19.04"}],"cpe":"cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"8.0"}],"cpe":"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"31"}],"cpe":"cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"32"}],"cpe":"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*","source":"CPE_FIELD"}]},"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZQDHRSKTEX5MSYXNCGFTUSFGANBARHX/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L475QJMFFI2QV5QEHAKKPVX6QX6ECUL6/"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/04/msg00028.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/12/msg00018.html"},{"type":"FIX","url":"https://bitbucket.org/tildeslash/monit/commits/f12d0cdb42d4e74dffe1525d4062c815c48ac57a"},{"type":"FIX","url":"https://usn.ubuntu.com/3971-1/"},{"type":"EVIDENCE","url":"https://github.com/dzflack/exploits/blob/master/macos/monit_dos.py"},{"type":"EVIDENCE","url":"https://github.com/dzflack/exploits/blob/master/unix/monit_buffer_overread.py"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://bitbucket.org/tildeslash/monit","events":[{"introduced":"0"},{"fixed":"e9e458ae169c1155cdcd9ca956c0cb4b8d5614f9"},{"fixed":"f12d0cdb42d4e74dffe1525d4062c815c48ac57a"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"5.25.3"}],"cpe":"cpe:2.3:a:tildeslash:monit:*:*:*:*:*:*:*:*","source":["CPE_FIELD","REFERENCES"]}}],"versions":["release-5-11-0","release-5-12-0","release-5-12-1","release-5-12-2","release-5-13-0","release-5-14-0","release-5-15-0","release-5-16-0","release-5-17-0","release-5-17-1","release-5-18-0","release-5-19-0","release-5-20-0","release-5-23-0","release-5-24-0","release-5-25-0","release-5-25-1","release-5-25-2","release-5-7","release-5-8","release-5-8-1"],"database_specific":{"vanir_signatures":[{"signature_type":"Function","signature_version":"v1","id":"CVE-2019-11455-13a9ad76","deprecated":false,"source":"https://bitbucket.org/tildeslash/monit@e9e458ae169c1155cdcd9ca956c0cb4b8d5614f9","digest":{"function_hash":"23861697072258711609888231435936520561","length":648},"target":{"file":"src/http/cervlet.c","function":"do_foot"}},{"signature_type":"Line","signature_version":"v1","id":"CVE-2019-11455-16367172","deprecated":false,"source":"https://bitbucket.org/tildeslash/monit@e9e458ae169c1155cdcd9ca956c0cb4b8d5614f9","digest":{"line_hashes":["335804617024891229671540928535154829375","310100624601859608845471492265078988370","154807492576191686414917484984983555220","87379780001120515149930474484174954645"],"threshold":0.9},"target":{"file":"src/monit.c"}},{"signature_type":"Function","source":"https://bitbucket.org/tildeslash/monit@e9e458ae169c1155cdcd9ca956c0cb4b8d5614f9","id":"CVE-2019-11455-4c95ae77","deprecated":false,"signature_version":"v1","digest":{"function_hash":"287019773174119488372765190948736526793","length":598},"target":{"file":"src/monit.c","function":"version"}},{"signature_type":"Function","id":"CVE-2019-11455-79ed33e1","source":"https://bitbucket.org/tildeslash/monit@e9e458ae169c1155cdcd9ca956c0cb4b8d5614f9","deprecated":false,"signature_version":"v1","digest":{"function_hash":"309952375732884078430535276969002257337","length":1433},"target":{"file":"src/http/cervlet.c","function":"do_about"}},{"signature_type":"Line","id":"CVE-2019-11455-9093b3ec","source":"https://bitbucket.org/tildeslash/monit@e9e458ae169c1155cdcd9ca956c0cb4b8d5614f9","deprecated":false,"signature_version":"v1","digest":{"line_hashes":["83469158976872561554671678004370611577","231063324253302383638823170907697343759","266168777303464530820275752220424199435","234939084648347694763319377839068928997","271084292119558296088722602634243413305","72830479874841803587946559619711045487"],"threshold":0.9},"target":{"file":"src/http/cervlet.c"}},{"signature_type":"Function","signature_version":"v1","id":"CVE-2019-11455-964021e3","deprecated":false,"source":"https://bitbucket.org/tildeslash/monit@f12d0cdb42d4e74dffe1525d4062c815c48ac57a","digest":{"function_hash":"93992887670432761616107281068180192984","length":417},"target":{"file":"src/util.c","function":"Util_urlDecode"}},{"signature_type":"Line","signature_version":"v1","id":"CVE-2019-11455-f79bd834","deprecated":false,"source":"https://bitbucket.org/tildeslash/monit@f12d0cdb42d4e74dffe1525d4062c815c48ac57a","digest":{"line_hashes":["336792216971483575453435551836204467274","291712273761895760649981696046002910704","271180010610417258655129962113380495898","21114216790731638776552251915180379568","173822145611965365697731601117605934289","245280868408692416270473546290603669879","242862724403075143428749160003221515339","298734385230047532110796783583358199549","217832284105747072654599295948154493272","284458092717974091187784453750759614001","99362352307682091576341187826044176903","144914216189621785524832115774637432358","156514795832395084577171720215568981037","204684603920824327899377881952475827354","311343363071435061989086714180242758086","272225639610348821859421113697663549549","60787199865810157298384129240791586496","334397499546725008374277679329106001896","81251255236040120734927710176480296484","140763349542358092626072794061719663411","331578764451842713949460228859657056635","225615824364547026479931068946884039306"],"threshold":0.9},"target":{"file":"src/util.c"}}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-11455.json","vanir_signatures_modified":"2026-04-11T21:43:50Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"}]}