#VU24487 Memory leak in Libxml2 - CVE-2019-20388

Cybersecurity Help s.r.o.

Published: 2020-01-22 | Updated: 2023-04-12

Vulnerability identifier: #VU24487

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-20388

CWE-ID: CWE-401

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Libxml2
Universal components / Libraries / Libraries used by multiple products

Vendor: Gnome Development Team

Description
The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak in xmlSchemaPreRun in xmlschemas.c. A remote attacker can trigger a xmlSchemaValidateStream memory leak and perform denial of service attack.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Libxml2: 2.9.10

External links
https://gitlab.gnome.org/GNOME/libxml2/merge_requests/68

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM QRadar Network Security

Multiple vulnerabilities in Hitachi Energy APM Edge

CentOS 7 update for libxml2

Anolis OS update for libxml2

Multiple vulnerabilities in cflinuxfs3

Ubuntu update for libxml2

Multiple vulnerabilities in Red Hat OpenShift Serverless

SUSE update for libxml2

Multiple vulnerabilities in Red Hat Ansible Automation Platform 1.2

IBM RackSwitch firmware update for Libxml2