CVE-2019-15903 - OpenCVE

In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Libexpat Project	Libexpat
Python	Python
Redhat	Enterprise Linux Jboss Core Services Openshift Do

Configuration 1 [-]

cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:python:python::::::::
	cpe:2.3:a:python:python::::::::
	cpe:2.3:a:python:python::::::::
	cpe:2.3:a:python:python::::::::

Package	CPE	Advisory	Released Date
JBoss Core Services on RHEL 6
jbcs-httpd24-curl-0:7.64.1-36.jbcs.el6	cpe:/a:redhat:jboss_core_services:1::el6	RHSA-2020:2644	2020-06-22T00:00:00Z
jbcs-httpd24-httpd-0:2.4.37-57.jbcs.el6	cpe:/a:redhat:jboss_core_services:1::el6	RHSA-2020:2644	2020-06-22T00:00:00Z
jbcs-httpd24-mod_cluster-native-0:1.3.14-4.Final_redhat_2.jbcs.el6	cpe:/a:redhat:jboss_core_services:1::el6	RHSA-2020:2644	2020-06-22T00:00:00Z
jbcs-httpd24-mod_http2-0:1.15.7-3.jbcs.el6	cpe:/a:redhat:jboss_core_services:1::el6	RHSA-2020:2644	2020-06-22T00:00:00Z
jbcs-httpd24-mod_jk-0:1.2.48-4.redhat_1.jbcs.el6	cpe:/a:redhat:jboss_core_services:1::el6	RHSA-2020:2644	2020-06-22T00:00:00Z
jbcs-httpd24-mod_md-1:2.0.8-24.jbcs.el6	cpe:/a:redhat:jboss_core_services:1::el6	RHSA-2020:2644	2020-06-22T00:00:00Z
jbcs-httpd24-mod_security-0:2.9.2-51.GA.jbcs.el6	cpe:/a:redhat:jboss_core_services:1::el6	RHSA-2020:2644	2020-06-22T00:00:00Z
jbcs-httpd24-nghttp2-0:1.39.2-25.jbcs.el6	cpe:/a:redhat:jboss_core_services:1::el6	RHSA-2020:2644	2020-06-22T00:00:00Z
JBoss Core Services on RHEL 7
jbcs-httpd24-curl-0:7.64.1-36.jbcs.el7	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2020:2644	2020-06-22T00:00:00Z
jbcs-httpd24-httpd-0:2.4.37-57.jbcs.el7	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2020:2644	2020-06-22T00:00:00Z
jbcs-httpd24-mod_cluster-native-0:1.3.14-4.Final_redhat_2.jbcs.el7	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2020:2644	2020-06-22T00:00:00Z
jbcs-httpd24-mod_http2-0:1.15.7-3.jbcs.el7	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2020:2644	2020-06-22T00:00:00Z
jbcs-httpd24-mod_jk-0:1.2.48-4.redhat_1.jbcs.el7	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2020:2644	2020-06-22T00:00:00Z
jbcs-httpd24-mod_md-1:2.0.8-24.jbcs.el7	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2020:2644	2020-06-22T00:00:00Z
jbcs-httpd24-mod_security-0:2.9.2-51.GA.jbcs.el7	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2020:2644	2020-06-22T00:00:00Z
jbcs-httpd24-nghttp2-0:1.39.2-25.jbcs.el7	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2020:2644	2020-06-22T00:00:00Z
jbcs-httpd24-openssl-pkcs11-0:0.4.10-7.jbcs.el7	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2020:2644	2020-06-22T00:00:00Z
Red Hat Enterprise Linux 6
thunderbird-0:68.2.0-2.el6_10	cpe:/o:redhat:enterprise_linux:6	RHSA-2019:3756	2019-11-06T00:00:00Z
Red Hat Enterprise Linux 7
firefox-0:68.2.0-1.el7_7	cpe:/o:redhat:enterprise_linux:7	RHSA-2019:3193	2019-10-24T00:00:00Z
thunderbird-0:68.2.0-1.el7_7	cpe:/o:redhat:enterprise_linux:7	RHSA-2019:3210	2019-10-29T00:00:00Z
expat-0:2.1.0-12.el7	cpe:/o:redhat:enterprise_linux:7	RHSA-2020:3952	2020-09-29T00:00:00Z
Red Hat Enterprise Linux 8
firefox-0:68.2.0-2.el8_0	cpe:/a:redhat:enterprise_linux:8	RHSA-2019:3196	2019-10-24T00:00:00Z
thunderbird-0:68.2.0-1.el8_0	cpe:/a:redhat:enterprise_linux:8	RHSA-2019:3237	2019-10-29T00:00:00Z
expat-0:2.2.5-4.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2020:4484	2020-11-04T00:00:00Z
Red Hat JBoss Core Services 1
expat	cpe:/a:redhat:jboss_core_services:1	RHSA-2020:2646	2020-06-22T00:00:00Z
Red Hat OpenShift Do
openshiftdo/odo-init-image-rhel7:1.1.3-2	cpe:/a:redhat:openshift_do:1.0::el7	RHSA-2021:0949	2021-03-22T00:00:00Z

References

Link	Providers
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00080.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00081.html
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00003.html
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00013.html
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00016.html
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00017.html
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00018.html
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00019.html
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00008.html
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
http://packetstormsecurity.com/files/154503/Slackware-Security-Advisory-expat-Updates.html
http://packetstormsecurity.com/files/154927/Slackware-Security-Advisory-python-Updates.html
http://packetstormsecurity.com/files/154947/Slackware-Security-Advisory-mozilla-firefox-Updates.html
http://seclists.org/fulldisclosure/2019/Dec/23
http://seclists.org/fulldisclosure/2019/Dec/26
http://seclists.org/fulldisclosure/2019/Dec/27
http://seclists.org/fulldisclosure/2019/Dec/30
https://access.redhat.com/errata/RHSA-2019:3210
https://access.redhat.com/errata/RHSA-2019:3237
https://access.redhat.com/errata/RHSA-2019:3756
https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43
https://github.com/libexpat/libexpat/issues/317
https://github.com/libexpat/libexpat/issues/342
https://github.com/libexpat/libexpat/pull/318
https://lists.debian.org/debian-lts-announce/2019/11/msg00006.html
https://lists.debian.org/debian-lts-announce/2019/11/msg00017.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A4TZKPJFTURRLXIGLB34WVKQ5HGY6JJA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BDUTI5TVQWIGGQXPEVI4T2ENHFSBMIBP/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S26LGXXQ7YF2BP3RGOWELBFKM6BHF6UG/
https://nvd.nist.gov/vuln/detail/CVE-2019-15903
https://seclists.org/bugtraq/2019/Dec/17
https://seclists.org/bugtraq/2019/Dec/21
https://seclists.org/bugtraq/2019/Dec/23
https://seclists.org/bugtraq/2019/Nov/1
https://seclists.org/bugtraq/2019/Nov/24
https://seclists.org/bugtraq/2019/Oct/29
https://seclists.org/bugtraq/2019/Sep/30
https://seclists.org/bugtraq/2019/Sep/37
https://security.gentoo.org/glsa/201911-08
https://security.netapp.com/advisory/ntap-20190926-0004/
https://support.apple.com/kb/HT210785
https://support.apple.com/kb/HT210788
https://support.apple.com/kb/HT210789
https://support.apple.com/kb/HT210790
https://support.apple.com/kb/HT210793
https://support.apple.com/kb/HT210794
https://support.apple.com/kb/HT210795
https://usn.ubuntu.com/4132-1/
https://usn.ubuntu.com/4132-2/
https://usn.ubuntu.com/4165-1/
https://usn.ubuntu.com/4202-1/
https://usn.ubuntu.com/4335-1/
https://www.cve.org/CVERecord?id=CVE-2019-15903
https://www.debian.org/security/2019/dsa-4530
https://www.debian.org/security/2019/dsa-4549
https://www.debian.org/security/2019/dsa-4571
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.tenable.com/security/tns-2021-11

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-09-04T05:59:16

Updated: 2024-08-05T01:03:32.547Z

Reserved: 2019-09-04T00:00:00

Link: CVE-2019-15903

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-09-04T06:15:10.877

Modified: 2023-11-07T03:05:35.773

Link: CVE-2019-15903

Redhat

Severity : Low

Publid Date: 2019-09-04T00:00:00Z

Links: CVE-2019-15903 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object