Type Confusion in libxslt Affects Product from GNOME
CVE-2019-13118

5.3MEDIUM

Key Information:

Vendor

Xmlsoft

Status
Libxslt
Vendor
CVE Published:
1 July 2019

What is CVE-2019-13118?

A type confusion vulnerability in the libxslt 1.1.33 library can occur when an invalid character or length combination is passed to the xsltNumberFormatDecimal function. This leads to reading uninitialized data from the stack, potentially exposing sensitive information or causing unexpected behavior in applications that utilize this library. Affected systems include various Apple products that rely on libxslt for XML transformations and styling.

References

https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330...
x_refsource_MISC
https://oss-fuzz.com/testcase-detail/5197371471822848
x_refsource_MISC
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15069
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.