CVE-2019-15903

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2019-15903
In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

5.0 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:N/A:P

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References
Link Resource
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00080.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00081.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00000.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00002.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00003.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00013.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00016.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00017.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00018.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00019.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00008.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html Mailing List Third Party Advisory
http://packetstormsecurity.com/files/154503/Slackware-Security-Advisory-expat-Updates.html Third Party Advisory VDB Entry
http://packetstormsecurity.com/files/154927/Slackware-Security-Advisory-python-Updates.html Third Party Advisory VDB Entry
http://packetstormsecurity.com/files/154947/Slackware-Security-Advisory-mozilla-firefox-Updates.html Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2019/Dec/23 Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2019/Dec/26 Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2019/Dec/27 Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2019/Dec/30 Mailing List Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3210 Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3237 Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3756 Third Party Advisory
https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43 Patch Third Party Advisory
https://github.com/libexpat/libexpat/issues/317 Exploit Issue Tracking Third Party Advisory
https://github.com/libexpat/libexpat/issues/342 Third Party Advisory
https://github.com/libexpat/libexpat/pull/318 Issue Tracking Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/11/msg00006.html Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/11/msg00017.html Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A4TZKPJFTURRLXIGLB34WVKQ5HGY6JJA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BDUTI5TVQWIGGQXPEVI4T2ENHFSBMIBP/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S26LGXXQ7YF2BP3RGOWELBFKM6BHF6UG/
https://seclists.org/bugtraq/2019/Dec/17 Mailing List Third Party Advisory
https://seclists.org/bugtraq/2019/Dec/21 Mailing List Third Party Advisory
https://seclists.org/bugtraq/2019/Dec/23 Mailing List Third Party Advisory
https://seclists.org/bugtraq/2019/Nov/1 Mailing List Third Party Advisory
https://seclists.org/bugtraq/2019/Nov/24 Mailing List Third Party Advisory
https://seclists.org/bugtraq/2019/Oct/29 Mailing List Third Party Advisory
https://seclists.org/bugtraq/2019/Sep/30 Mailing List Third Party Advisory
https://seclists.org/bugtraq/2019/Sep/37 Mailing List Third Party Advisory
https://security.gentoo.org/glsa/201911-08 Third Party Advisory
https://security.netapp.com/advisory/ntap-20190926-0004/ Third Party Advisory
https://support.apple.com/kb/HT210785 Third Party Advisory
https://support.apple.com/kb/HT210788 Third Party Advisory
https://support.apple.com/kb/HT210789 Third Party Advisory
https://support.apple.com/kb/HT210790 Third Party Advisory
https://support.apple.com/kb/HT210793 Third Party Advisory
https://support.apple.com/kb/HT210794 Third Party Advisory
https://support.apple.com/kb/HT210795 Third Party Advisory
https://usn.ubuntu.com/4132-1/ Third Party Advisory
https://usn.ubuntu.com/4132-2/ Third Party Advisory
https://usn.ubuntu.com/4165-1/ Third Party Advisory
https://usn.ubuntu.com/4202-1/ Third Party Advisory
https://usn.ubuntu.com/4335-1/ Third Party Advisory
https://www.debian.org/security/2019/dsa-4530 Third Party Advisory
https://www.debian.org/security/2019/dsa-4549 Third Party Advisory
https://www.debian.org/security/2019/dsa-4571 Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html Third Party Advisory
https://www.tenable.com/security/tns-2021-11 Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
History

07 Nov 2023, 03:05

Type Values Removed Values Added
References
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S26LGXXQ7YF2BP3RGOWELBFKM6BHF6UG/', 'name': 'FEDORA-2019-672ae0f060', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BDUTI5TVQWIGGQXPEVI4T2ENHFSBMIBP/', 'name': 'FEDORA-2019-613edfe68b', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A4TZKPJFTURRLXIGLB34WVKQ5HGY6JJA/', 'name': 'FEDORA-2019-9505c6b555', 'tags': ['Third Party Advisory'], 'refsource': 'FEDORA'}
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A4TZKPJFTURRLXIGLB34WVKQ5HGY6JJA/ -
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S26LGXXQ7YF2BP3RGOWELBFKM6BHF6UG/ -
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BDUTI5TVQWIGGQXPEVI4T2ENHFSBMIBP/ -

28 Jul 2022, 11:23

Type Values Removed Values Added
CPE cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
First Time Python
Python python
References (UBUNTU) https://usn.ubuntu.com/4202-1/ - (UBUNTU) https://usn.ubuntu.com/4202-1/ - Third Party Advisory
References (FULLDISC) http://seclists.org/fulldisclosure/2019/Dec/26 - (FULLDISC) http://seclists.org/fulldisclosure/2019/Dec/26 - Mailing List, Third Party Advisory
References (BUGTRAQ) https://seclists.org/bugtraq/2019/Sep/37 - (BUGTRAQ) https://seclists.org/bugtraq/2019/Sep/37 - Mailing List, Third Party Advisory
References (REDHAT) https://access.redhat.com/errata/RHSA-2019:3237 - (REDHAT) https://access.redhat.com/errata/RHSA-2019:3237 - Third Party Advisory
References (SUSE) http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00018.html - (SUSE) http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00018.html - Mailing List, Third Party Advisory
References (UBUNTU) https://usn.ubuntu.com/4132-2/ - (UBUNTU) https://usn.ubuntu.com/4132-2/ - Third Party Advisory
References (CONFIRM) https://support.apple.com/kb/HT210789 - (CONFIRM) https://support.apple.com/kb/HT210789 - Third Party Advisory
References (BUGTRAQ) https://seclists.org/bugtraq/2019/Dec/17 - (BUGTRAQ) https://seclists.org/bugtraq/2019/Dec/17 - Mailing List, Third Party Advisory
References (SUSE) http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html - (SUSE) http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html - Mailing List, Third Party Advisory
References (MISC) http://packetstormsecurity.com/files/154927/Slackware-Security-Advisory-python-Updates.html - (MISC) http://packetstormsecurity.com/files/154927/Slackware-Security-Advisory-python-Updates.html - Third Party Advisory, VDB Entry
References (CONFIRM) https://support.apple.com/kb/HT210785 - (CONFIRM) https://support.apple.com/kb/HT210785 - Third Party Advisory
References (CONFIRM) https://www.tenable.com/security/tns-2021-11 - (CONFIRM) https://www.tenable.com/security/tns-2021-11 - Third Party Advisory
References (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S26LGXXQ7YF2BP3RGOWELBFKM6BHF6UG/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S26LGXXQ7YF2BP3RGOWELBFKM6BHF6UG/ - Mailing List, Third Party Advisory
References (UBUNTU) https://usn.ubuntu.com/4335-1/ - (UBUNTU) https://usn.ubuntu.com/4335-1/ - Third Party Advisory
References (FULLDISC) http://seclists.org/fulldisclosure/2019/Dec/27 - (FULLDISC) http://seclists.org/fulldisclosure/2019/Dec/27 - Mailing List, Third Party Advisory
References (MISC) http://packetstormsecurity.com/files/154503/Slackware-Security-Advisory-expat-Updates.html - (MISC) http://packetstormsecurity.com/files/154503/Slackware-Security-Advisory-expat-Updates.html - Third Party Advisory, VDB Entry
References (BUGTRAQ) https://seclists.org/bugtraq/2019/Sep/30 - (BUGTRAQ) https://seclists.org/bugtraq/2019/Sep/30 - Mailing List, Third Party Advisory
References (CONFIRM) https://support.apple.com/kb/HT210795 - (CONFIRM) https://support.apple.com/kb/HT210795 - Third Party Advisory
References (REDHAT) https://access.redhat.com/errata/RHSA-2019:3210 - (REDHAT) https://access.redhat.com/errata/RHSA-2019:3210 - Third Party Advisory
References (MLIST) https://lists.debian.org/debian-lts-announce/2019/11/msg00006.html - (MLIST) https://lists.debian.org/debian-lts-announce/2019/11/msg00006.html - Mailing List, Third Party Advisory
References (BUGTRAQ) https://seclists.org/bugtraq/2019/Nov/24 - (BUGTRAQ) https://seclists.org/bugtraq/2019/Nov/24 - Mailing List, Third Party Advisory
References (SUSE) http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00008.html - (SUSE) http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00008.html - Mailing List, Third Party Advisory
References (MLIST) https://lists.debian.org/debian-lts-announce/2019/11/msg00017.html - (MLIST) https://lists.debian.org/debian-lts-announce/2019/11/msg00017.html - Mailing List, Third Party Advisory
References (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BDUTI5TVQWIGGQXPEVI4T2ENHFSBMIBP/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BDUTI5TVQWIGGQXPEVI4T2ENHFSBMIBP/ - Mailing List, Third Party Advisory
References (CONFIRM) https://support.apple.com/kb/HT210794 - (CONFIRM) https://support.apple.com/kb/HT210794 - Third Party Advisory
References (FULLDISC) http://seclists.org/fulldisclosure/2019/Dec/30 - (FULLDISC) http://seclists.org/fulldisclosure/2019/Dec/30 - Mailing List, Third Party Advisory
References (SUSE) http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00017.html - (SUSE) http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00017.html - Mailing List, Third Party Advisory
References (DEBIAN) https://www.debian.org/security/2019/dsa-4549 - (DEBIAN) https://www.debian.org/security/2019/dsa-4549 - Third Party Advisory
References (BUGTRAQ) https://seclists.org/bugtraq/2019/Dec/23 - (BUGTRAQ) https://seclists.org/bugtraq/2019/Dec/23 - Mailing List, Third Party Advisory
References (UBUNTU) https://usn.ubuntu.com/4132-1/ - (UBUNTU) https://usn.ubuntu.com/4132-1/ - Third Party Advisory
References (BUGTRAQ) https://seclists.org/bugtraq/2019/Oct/29 - (BUGTRAQ) https://seclists.org/bugtraq/2019/Oct/29 - Mailing List, Third Party Advisory
References (MISC) http://packetstormsecurity.com/files/154947/Slackware-Security-Advisory-mozilla-firefox-Updates.html - (MISC) http://packetstormsecurity.com/files/154947/Slackware-Security-Advisory-mozilla-firefox-Updates.html - Third Party Advisory, VDB Entry
References (SUSE) http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00002.html - (SUSE) http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00002.html - Mailing List, Third Party Advisory
References (SUSE) http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00003.html - (SUSE) http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00003.html - Mailing List, Third Party Advisory
References (SUSE) http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00019.html - (SUSE) http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00019.html - Mailing List, Third Party Advisory
References (UBUNTU) https://usn.ubuntu.com/4165-1/ - (UBUNTU) https://usn.ubuntu.com/4165-1/ - Third Party Advisory
References (SUSE) http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00016.html - (SUSE) http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00016.html - Mailing List, Third Party Advisory
References (CONFIRM) https://support.apple.com/kb/HT210793 - (CONFIRM) https://support.apple.com/kb/HT210793 - Third Party Advisory
References (SUSE) http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00013.html - (SUSE) http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00013.html - Mailing List, Third Party Advisory
References (CONFIRM) https://support.apple.com/kb/HT210788 - (CONFIRM) https://support.apple.com/kb/HT210788 - Third Party Advisory
References (DEBIAN) https://www.debian.org/security/2019/dsa-4530 - (DEBIAN) https://www.debian.org/security/2019/dsa-4530 - Third Party Advisory
References (DEBIAN) https://www.debian.org/security/2019/dsa-4571 - (DEBIAN) https://www.debian.org/security/2019/dsa-4571 - Third Party Advisory
References (REDHAT) https://access.redhat.com/errata/RHSA-2019:3756 - (REDHAT) https://access.redhat.com/errata/RHSA-2019:3756 - Third Party Advisory
References (CONFIRM) https://github.com/libexpat/libexpat/issues/342 - (CONFIRM) https://github.com/libexpat/libexpat/issues/342 - Third Party Advisory
References (FULLDISC) http://seclists.org/fulldisclosure/2019/Dec/23 - (FULLDISC) http://seclists.org/fulldisclosure/2019/Dec/23 - Mailing List, Third Party Advisory
References (GENTOO) https://security.gentoo.org/glsa/201911-08 - (GENTOO) https://security.gentoo.org/glsa/201911-08 - Third Party Advisory
References (MISC) https://www.oracle.com/security-alerts/cpuoct2020.html - (MISC) https://www.oracle.com/security-alerts/cpuoct2020.html - Third Party Advisory
References (CONFIRM) https://support.apple.com/kb/HT210790 - (CONFIRM) https://support.apple.com/kb/HT210790 - Third Party Advisory
References (SUSE) http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00081.html - (SUSE) http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00081.html - Mailing List, Third Party Advisory
References (BUGTRAQ) https://seclists.org/bugtraq/2019/Dec/21 - (BUGTRAQ) https://seclists.org/bugtraq/2019/Dec/21 - Mailing List, Third Party Advisory
References (CONFIRM) https://security.netapp.com/advisory/ntap-20190926-0004/ - (CONFIRM) https://security.netapp.com/advisory/ntap-20190926-0004/ - Third Party Advisory
References (BUGTRAQ) https://seclists.org/bugtraq/2019/Nov/1 - (BUGTRAQ) https://seclists.org/bugtraq/2019/Nov/1 - Mailing List, Third Party Advisory
References (SUSE) http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00080.html - (SUSE) http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00080.html - Mailing List, Third Party Advisory
References (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A4TZKPJFTURRLXIGLB34WVKQ5HGY6JJA/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A4TZKPJFTURRLXIGLB34WVKQ5HGY6JJA/ - Third Party Advisory
References (N/A) https://www.oracle.com/security-alerts/cpuapr2020.html - (N/A) https://www.oracle.com/security-alerts/cpuapr2020.html - Third Party Advisory
References (SUSE) http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00000.html - (SUSE) http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00000.html - Mailing List, Third Party Advisory

15 Jun 2021, 23:15

Type Values Removed Values Added
References
  • (CONFIRM) https://www.tenable.com/security/tns-2021-11 -
Information

Published : 2019-09-04 06:15

Updated : 2023-12-10 12:59

NVD link : CVE-2019-15903

Mitre link : CVE-2019-15903

CVE.ORG link : CVE-2019-15903

JSON object : View

Products Affected

libexpat_project

  • libexpat

python

  • python
CWE
CWE-125

Out-of-bounds Read

CWE-776

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')