CVE-2019-13118 — MEDIUM (5.3)

Q: How severe is CVE-2019-13118?

CVE-2019-13118 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-13118?

Check the references section above for vendor advisories and patch information. Affected products include: Xmlsoft Libxslt, Opensuse Leap, Netapp Active Iq Unified Manager, Netapp Cloud Backup, Netapp Clustered Data Ontap.

Vulnerability Description

In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Xmlsoft	Libxslt	1.1.33
Opensuse	Leap	15.1
Netapp	Active Iq Unified Manager	-
Netapp	Cloud Backup	-
Netapp	Clustered Data Ontap	-
Netapp	E-Series Performance Analyzer	-
Netapp	E-Series Santricity Management Plug-Ins	-
Netapp	E-Series Santricity Os Controller	>= 11.0, <= 11.50.2
Netapp	E-Series Santricity Storage Manager	-
Netapp	E-Series Santricity Web Services	-
Netapp	Oncommand Insight	-
Netapp	Oncommand Workflow Automation	-
Netapp	Ontap Select Deploy Administration Utility	-
Netapp	Plug-In For Symantec Netbackup	-
Netapp	Santricity Unified Manager	-
Netapp	Steelstore Cloud Integrated Storage	-
Oracle	Jdk	1.8.0
Fedoraproject	Fedora	31
Canonical	Ubuntu Linux	12.04
Apple	Icloud	< 7.13

Related Weaknesses (CWE)

CWE-843

References

http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00062.htmlMailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2019/Aug/11Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2019/Aug/13Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2019/Aug/14Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2019/Aug/15Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2019/Jul/22Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2019/Jul/23Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2019/Jul/24Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2019/Jul/26Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2019/Jul/31Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2019/Jul/37Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2019/Jul/38Mailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2019/11/17/2Mailing ListThird Party Advisory
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15069Permissions Required
https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f656941948987PatchThird Party Advisory

FAQ

What is CVE-2019-13118?

CVE-2019-13118 is a vulnerability with a CVSS score of 5.3 (MEDIUM). In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, l...

How severe is CVE-2019-13118?

CVE-2019-13118 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-13118?

Check the references section above for vendor advisories and patch information. Affected products include: Xmlsoft Libxslt, Opensuse Leap, Netapp Active Iq Unified Manager, Netapp Cloud Backup, Netapp Clustered Data Ontap.