Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2019-15903

Out-of-bounds Read

Published: Sep 04, 2019 | Modified: Nov 07, 2023
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
5 MEDIUM
AV:N/AC:L/Au:N/C:N/I:N/A:P
RedHat/V2
RedHat/V3
7.5 LOW
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2019-15903
CWEhttps://cwe.mitre.org/data/definitions/125.html

In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.

Weakness

The product reads data past the end, or before the beginning, of the intended buffer.

Affected Software

Name Vendor Start Version End Version
Libexpat Libexpat_project * 2.2.8 (excluding)
JBoss Core Services on RHEL 6 RedHat jbcs-httpd24-curl-0:7.64.1-36.jbcs.el6 *
JBoss Core Services on RHEL 6 RedHat jbcs-httpd24-httpd-0:2.4.37-57.jbcs.el6 *
JBoss Core Services on RHEL 6 RedHat jbcs-httpd24-mod_cluster-native-0:1.3.14-4.Final_redhat_2.jbcs.el6 *
JBoss Core Services on RHEL 6 RedHat jbcs-httpd24-mod_http2-0:1.15.7-3.jbcs.el6 *
JBoss Core Services on RHEL 6 RedHat jbcs-httpd24-mod_jk-0:1.2.48-4.redhat_1.jbcs.el6 *
JBoss Core Services on RHEL 6 RedHat jbcs-httpd24-mod_md-1:2.0.8-24.jbcs.el6 *
JBoss Core Services on RHEL 6 RedHat jbcs-httpd24-mod_security-0:2.9.2-51.GA.jbcs.el6 *
JBoss Core Services on RHEL 6 RedHat jbcs-httpd24-nghttp2-0:1.39.2-25.jbcs.el6 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-curl-0:7.64.1-36.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-httpd-0:2.4.37-57.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-mod_cluster-native-0:1.3.14-4.Final_redhat_2.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-mod_http2-0:1.15.7-3.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-mod_jk-0:1.2.48-4.redhat_1.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-mod_md-1:2.0.8-24.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-mod_security-0:2.9.2-51.GA.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-nghttp2-0:1.39.2-25.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-openssl-pkcs11-0:0.4.10-7.jbcs.el7 *
Red Hat Enterprise Linux 6 RedHat thunderbird-0:68.2.0-2.el6_10 *
Red Hat Enterprise Linux 7 RedHat firefox-0:68.2.0-1.el7_7 *
Red Hat Enterprise Linux 7 RedHat thunderbird-0:68.2.0-1.el7_7 *
Red Hat Enterprise Linux 7 RedHat expat-0:2.1.0-12.el7 *
Red Hat Enterprise Linux 8 RedHat firefox-0:68.2.0-2.el8_0 *
Red Hat Enterprise Linux 8 RedHat thunderbird-0:68.2.0-1.el8_0 *
Red Hat Enterprise Linux 8 RedHat expat-0:2.2.5-4.el8 *
Red Hat JBoss Core Services 1 RedHat expat *
Red Hat OpenShift Do RedHat openshiftdo/odo-init-image-rhel7:1.1.3-2 *
Audacity Ubuntu kinetic *
Audacity Ubuntu lunar *
Audacity Ubuntu mantic *
Ayttm Ubuntu xenial *
Cableswig Ubuntu xenial *
Cadaver Ubuntu bionic *
Cadaver Ubuntu disco *
Cadaver Ubuntu eoan *
Cadaver Ubuntu groovy *
Cadaver Ubuntu hirsute *
Cadaver Ubuntu impish *
Cadaver Ubuntu kinetic *
Cadaver Ubuntu lunar *
Cadaver Ubuntu mantic *
Cadaver Ubuntu xenial *
Chromium-browser Ubuntu bionic *
Chromium-browser Ubuntu devel *
Chromium-browser Ubuntu disco *
Chromium-browser Ubuntu eoan *
Chromium-browser Ubuntu focal *
Chromium-browser Ubuntu groovy *
Chromium-browser Ubuntu hirsute *
Chromium-browser Ubuntu impish *
Chromium-browser Ubuntu jammy *
Chromium-browser Ubuntu kinetic *
Chromium-browser Ubuntu lunar *
Chromium-browser Ubuntu mantic *
Chromium-browser Ubuntu noble *
Chromium-browser Ubuntu oracular *
Chromium-browser Ubuntu trusty *
Chromium-browser Ubuntu upstream *
Chromium-browser Ubuntu xenial *
Coin3 Ubuntu bionic *
Coin3 Ubuntu disco *
Coin3 Ubuntu eoan *
Coin3 Ubuntu esm-apps/bionic *
Coin3 Ubuntu esm-apps/xenial *
Coin3 Ubuntu esm-infra-legacy/trusty *
Coin3 Ubuntu groovy *
Coin3 Ubuntu trusty *
Coin3 Ubuntu trusty/esm *
Coin3 Ubuntu xenial *
Expat Ubuntu bionic *
Expat Ubuntu disco *
Expat Ubuntu trusty *
Expat Ubuntu trusty/esm *
Expat Ubuntu upstream *
Expat Ubuntu xenial *
Firefox Ubuntu bionic *
Firefox Ubuntu devel *
Firefox Ubuntu disco *
Firefox Ubuntu eoan *
Firefox Ubuntu focal *
Firefox Ubuntu groovy *
Firefox Ubuntu hirsute *
Firefox Ubuntu impish *
Firefox Ubuntu jammy *
Firefox Ubuntu kinetic *
Firefox Ubuntu lunar *
Firefox Ubuntu mantic *
Firefox Ubuntu noble *
Firefox Ubuntu oracular *
Firefox Ubuntu upstream *
Firefox Ubuntu xenial *
Gdcm Ubuntu trusty *
Insighttoolkit Ubuntu xenial *
Insighttoolkit4 Ubuntu disco *
Insighttoolkit4 Ubuntu eoan *
Insighttoolkit4 Ubuntu groovy *
Insighttoolkit4 Ubuntu hirsute *
Insighttoolkit4 Ubuntu impish *
Insighttoolkit4 Ubuntu xenial *
Libxmltok Ubuntu bionic *
Libxmltok Ubuntu devel *
Libxmltok Ubuntu esm-apps/bionic *
Libxmltok Ubuntu esm-apps/focal *
Libxmltok Ubuntu esm-apps/jammy *
Libxmltok Ubuntu esm-apps/noble *
Libxmltok Ubuntu esm-apps/xenial *
Libxmltok Ubuntu focal *
Libxmltok Ubuntu hirsute *
Libxmltok Ubuntu impish *
Libxmltok Ubuntu jammy *
Libxmltok Ubuntu kinetic *
Libxmltok Ubuntu lunar *
Libxmltok Ubuntu mantic *
Libxmltok Ubuntu noble *
Libxmltok Ubuntu oracular *
Libxmltok Ubuntu trusty *
Libxmltok Ubuntu xenial *
Matanza Ubuntu bionic *
Matanza Ubuntu disco *
Matanza Ubuntu eoan *
Matanza Ubuntu groovy *
Matanza Ubuntu hirsute *
Matanza Ubuntu impish *
Matanza Ubuntu kinetic *
Matanza Ubuntu lunar *
Matanza Ubuntu mantic *
Matanza Ubuntu xenial *
Poco Ubuntu trusty *
Sitecopy Ubuntu bionic *
Sitecopy Ubuntu disco *
Sitecopy Ubuntu eoan *
Sitecopy Ubuntu groovy *
Sitecopy Ubuntu hirsute *
Sitecopy Ubuntu impish *
Sitecopy Ubuntu kinetic *
Sitecopy Ubuntu lunar *
Sitecopy Ubuntu mantic *
Sitecopy Ubuntu xenial *
Swish-e Ubuntu bionic *
Swish-e Ubuntu disco *
Swish-e Ubuntu eoan *
Swish-e Ubuntu groovy *
Swish-e Ubuntu hirsute *
Swish-e Ubuntu impish *
Swish-e Ubuntu kinetic *
Swish-e Ubuntu lunar *
Swish-e Ubuntu mantic *
Swish-e Ubuntu xenial *
Tdom Ubuntu bionic *
Tdom Ubuntu disco *
Tdom Ubuntu eoan *
Tdom Ubuntu groovy *
Tdom Ubuntu hirsute *
Tdom Ubuntu impish *
Tdom Ubuntu kinetic *
Tdom Ubuntu lunar *
Tdom Ubuntu mantic *
Tdom Ubuntu xenial *
Thunderbird Ubuntu bionic *
Thunderbird Ubuntu devel *
Thunderbird Ubuntu disco *
Thunderbird Ubuntu eoan *
Thunderbird Ubuntu focal *
Thunderbird Ubuntu groovy *
Thunderbird Ubuntu hirsute *
Thunderbird Ubuntu impish *
Thunderbird Ubuntu jammy *
Thunderbird Ubuntu kinetic *
Thunderbird Ubuntu lunar *
Thunderbird Ubuntu mantic *
Thunderbird Ubuntu noble *
Thunderbird Ubuntu oracular *
Thunderbird Ubuntu upstream *
Thunderbird Ubuntu xenial *
Vnc4 Ubuntu bionic *
Vnc4 Ubuntu esm-apps/bionic *
Vnc4 Ubuntu esm-apps/xenial *
Vnc4 Ubuntu esm-infra-legacy/trusty *
Vnc4 Ubuntu trusty *
Vnc4 Ubuntu trusty/esm *
Vnc4 Ubuntu xenial *
Vtk Ubuntu esm-apps/xenial *
Vtk Ubuntu trusty/esm *
Vtk Ubuntu xenial *
Wbxml2 Ubuntu bionic *
Wbxml2 Ubuntu disco *
Wbxml2 Ubuntu eoan *
Wbxml2 Ubuntu groovy *
Wbxml2 Ubuntu hirsute *
Wbxml2 Ubuntu impish *
Wbxml2 Ubuntu kinetic *
Wbxml2 Ubuntu lunar *
Wbxml2 Ubuntu mantic *
Wbxml2 Ubuntu xenial *
Xmlrpc-c Ubuntu bionic *
Xmlrpc-c Ubuntu devel *
Xmlrpc-c Ubuntu disco *
Xmlrpc-c Ubuntu eoan *
Xmlrpc-c Ubuntu esm-apps/bionic *
Xmlrpc-c Ubuntu esm-apps/focal *
Xmlrpc-c Ubuntu esm-apps/jammy *
Xmlrpc-c Ubuntu esm-apps/noble *
Xmlrpc-c Ubuntu esm-apps/xenial *
Xmlrpc-c Ubuntu esm-infra-legacy/trusty *
Xmlrpc-c Ubuntu focal *
Xmlrpc-c Ubuntu groovy *
Xmlrpc-c Ubuntu hirsute *
Xmlrpc-c Ubuntu impish *
Xmlrpc-c Ubuntu jammy *
Xmlrpc-c Ubuntu kinetic *
Xmlrpc-c Ubuntu lunar *
Xmlrpc-c Ubuntu mantic *
Xmlrpc-c Ubuntu noble *
Xmlrpc-c Ubuntu oracular *
Xmlrpc-c Ubuntu trusty *
Xmlrpc-c Ubuntu trusty/esm *
Xmlrpc-c Ubuntu upstream *
Xmlrpc-c Ubuntu xenial *

Potential Mitigations

  • Assume all input is malicious. Use an “accept known good” input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, “boat” may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as “red” or “blue.”
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code’s environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use