#VU33246 Input validation error in libxslt - CVE-2015-7995

Cybersecurity Help s.r.o.

Published: 2015-11-17 | Updated: 2020-08-03

Vulnerability identifier: #VU33246

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2015-7995

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
libxslt
Universal components / Libraries / Libraries used by multiple products

Vendor: Gnome Development Team

Description

The vulnerability allows attackers to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service via a crafted XML file, related to a "type confusion" issue.

Mitigation
Update to version 1.1.29.

Vulnerable software versions

libxslt: 1.1.28

External links
https://lists.apple.com/archives/security-announce/2016/Jan/msg00002.html
https://lists.apple.com/archives/security-announce/2016/Jan/msg00003.html
https://lists.apple.com/archives/security-announce/2016/Jan/msg00005.html
https://lists.apple.com/archives/security-announce/2016/Mar/msg00001.html
https://lists.opensuse.org/opensuse-updates/2016-05/msg00123.html
https://www.debian.org/security/2016/dsa-3605
https://www.openwall.com/lists/oss-security/2015/10/27/10
https://www.openwall.com/lists/oss-security/2015/10/28/4
https://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
https://www.securityfocus.com/bid/77325
https://www.securitytracker.com/id/1034736
https://www.securitytracker.com/id/1038623
https://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.386546
https://bugzilla.redhat.com/show_bug.cgi?id=1257962
https://git.gnome.org/browse/libxslt/commit/?id=7ca19df892ca22d9314e95d59ce2abdeff46b617
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05111017
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158380
https://puppet.com/security/cve/cve-2015-7995
https://support.apple.com/HT205729
https://support.apple.com/HT205731
https://support.apple.com/HT205732
https://support.apple.com/HT206168

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Slackware Linux update for libxslt

Input validation error in libxslt (Alpine package)

Input validation error in libxslt for Libxml2