PT-2019-4668 · Libxslt+6 · Libxslt+6

Publicado

2019-01-02

Atualizado

2024-06-15

CVE-2019-13118

CVSS v2.0

7.8

Alta

Vetor

AV:N/AC:L/Au:N/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions libxslt version 1.1.33 Nokogiri versions prior to 1.10.5

Description The issue arises from insufficient input validation in the xsltNumberFormatDecimal function of the libxslt library. This could allow a remote attacker to gain unauthorized access to protected information. The problem is caused by a type holding grouping characters of an xsl:number instruction being too narrow, leading to an invalid character/length combination being passed to xsltNumberFormatDecimal, and resulting in a read of uninitialized stack data.

Recommendations For libxslt version 1.1.33, update to version 1.1.34 or later to address this issue. For Nokogiri versions prior to 1.10.5, update to version 1.10.5 or later, which includes an updated version of libxslt that addresses this vulnerability.

Correção

Type Confusion

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-843CWE-20

Identificadores relacionados

ALT-PU-2019-2688

ALT-PU-2019-3146

ALT-PU-2020-3302

ALT-PU-2020-3348

BDU:2020-00861

CVE-2019-13118

DLA-1860-1

GHSA-CF46-6XXH-PC75

MGASA-2019-0313

OPENSUSE-SU-2020:0731-1

OPENSUSE-SU-2020_0731-1

OPENSUSE-SU-2024:11017-1

SUSE-SU-2019:1867-1

SUSE-SU-2020:1409-1

USN-4164-1

Produtos afetados

Alt Linux

Java Platform

Nokogiri

Suse

Ubuntu

Itunes

Libxslt

PT-2019-4668 · Libxslt+6 · Libxslt+6

CVE-2019-13118

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 100