PT-2019-6370 · Ezxml+3 · Ezxml+3

Published

2019-12-30

·

Updated

2021-12-23

·

CVE-2019-20199

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions ezXML versions 0.8.3 through 0.8.6
Description The issue is related to the ezxml decode function in the ezXML library, which performs incorrect memory handling while parsing a crafted XML file. This leads to a NULL pointer dereference when running strlen() on a NULL pointer. The vulnerability allows a remote attacker to cause a denial of service using a specially crafted XML file. The vulnerability is related to reading beyond the boundaries of a data buffer.
Recommendations For ezXML versions 0.8.3 through 0.8.6, consider disabling the ezxml decode function until a patch is available to prevent exploitation. Restrict access to the ezXML library to minimize the risk of denial of service attacks. Avoid using the ezxml decode function with untrusted XML files until the issue is resolved.

Exploit

Fix

Out of bounds Read

NULL Pointer Dereference

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-125CWE-476

Related Identifiers

BDU:2023-03878
CVE-2019-20199
MGASA-2021-0580
OPENSUSE-SU-2021:1505-1
OPENSUSE-SU-2021:3804-1
OPENSUSE-SU-2021:3805-1
OPENSUSE-SU-2021:3815-1
OPENSUSE-SU-2021:3873-1
OPENSUSE-SU-2021_1505-1
OPENSUSE-SU-2021_3804-1
OPENSUSE-SU-2021_3805-1
OPENSUSE-SU-2021_3815-1
OPENSUSE-SU-2021_3873-1
SUSE-SU-2021:3804-1
SUSE-SU-2021:3805-1
SUSE-SU-2021:3815-1
SUSE-SU-2021:3873-1

Affected Products

Astra Linux
Debian
Suse
Ezxml