CVE-2019-15903

CVSS v3.1 7.5 (High)

CVSS v2.0 5 (Medium)

EPSS 0.46 % (76^th)

Affected Products 2

Advisories 59

In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.

Weaknesses

CWE-125: Out-of-bounds Read
CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CVE Status: PUBLISHED
CNA: MITRE
Published Date: 2019-09-04 06:15:10
(5 years ago)
Updated Date: 2023-11-07 03:05:35
(10 months ago)

Affected Products

Libexpat Project

Libexpat

Python

Python

Configuration #1

		CPE23	From	Up To
	Libexpat Project Libexpat prior 2.2.8 version	cpe:2.3:a:libexpat_project:libexpat		< 2.2.8

Configuration #2

	CPE23	From	Up To
Python from 2.7.0 version and prior 2.7.17 version	cpe:2.3:a:python:python	>= 2.7.0	< 2.7.17
Python from 3.5.0 version and prior 3.5.8 version	cpe:2.3:a:python:python	>= 3.5.0	< 3.5.8
Python from 3.6.0 version and prior 3.6.10 version	cpe:2.3:a:python:python	>= 3.6.0	< 3.6.10
Python from 3.7.0 version and prior 3.7.5 version	cpe:2.3:a:python:python	>= 3.7.0	< 3.7.5