Type Confusion in libxslt

#VU66693 Type Confusion in libxslt

Published: 2022-08-22

Vulnerability identifier: #VU66693

Vulnerability risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-5815

CWE-ID: CWE-843

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
libxslt
Universal components / Libraries / Libraries used by multiple products

Vendor: Gnome Development Team

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a type confusion error within the xsltNumberFormatGetMultipleLevel. A remote attacker can pass specially crafted XML data to the application, trigger a type confusion error and crash the application.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

libxslt: 0.1.0 - 1.1.33

External links
http://bugs.chromium.org/p/chromium/issues/detail?id=930663
http://gitlab.gnome.org/GNOME/libxslt/commit/08b62c25871b38d5d573515ca8a065b4b8f64f6b

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Cloud Foundry Foundation cflinuxfs3 update for Libxslt

Ubuntu update for libxslt

Denial of service in libxslt