Information disclosure in libxslt (Alpine package)

Published: 2019-11-17

Risk	Low
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2019-13118
CWE-ID	CWE-200
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	libxslt (Alpine package) Operating systems & Components / Operating system package or component
Vendor	Alpine Linux Development Team

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Information disclosure

EUVDB-ID: #VU18966

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-13118

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to uninitialized stack data exposure in numbers.c in libxslt library when processing an invalid character/length combination in xsltNumberFormatDecimal. A remote attacker can gain pass specially crafted data to the application using the affected library and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

libxslt (Alpine package): 1.1.33-r0 - 1.1.33-r2

CPE2.3

External links

https://git.alpinelinux.org/aports/commit/?id=27b3948601965509fee472f606c59626221f5398
https://git.alpinelinux.org/aports/commit/?id=6e3bb6bd9e635d4d171d323935e6a9721ef4c740
https://git.alpinelinux.org/aports/commit/?id=b98ba48c0925b8f0093983262b8d3fb122ee97dc
https://git.alpinelinux.org/aports/commit/?id=cab2f7460bc61617445a4f921c14b6b9d8ec0e0a

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.