Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2018-1311

Опубликовано: 18 дек. 2019
Источник: debian
EPSS Низкий

Описание

The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the maintained version of the library and has no current mitigation other than to disable DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
xerces-cfixed3.2.3+debian-2package
xerces-cpostponedjessiepackage

Примечания

  • http://xerces.apache.org/xerces-c/secadv/CVE-2018-1311.txt

  • https://issues.apache.org/jira/browse/XERCESC-2188

  • http://vault.centos.org/7.7.1908/updates/Source/SPackages/xerces-c-3.1.1-10.el7_7.src.rpm (fix with memory leak, applied in DLA-2498-1 and DSA-4814-1)

  • Mitigation by setting the XERCES_DISABLE_DTD environment variable

  • Fixed by: https://github.com/apache/xerces-c/commit/e0024267504188e42ace4dd9031d936786914835 (v3.2.5)

  • Fix replaced with upstream-vetted patch (without introducing memory leak and binary-compatible) in 3.2.4+debian-1.1

EPSS

Процентиль: 88%
0.04171
Низкий

Связанные уязвимости

ubuntu логотип

CVE-2018-1311

CVSS3: 8.1
ubuntu
больше 5 лет назад

The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the maintained version of the library and has no current mitigation other than to disable DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.

redhat логотип

CVE-2018-1311

CVSS3: 8.1
redhat
больше 5 лет назад

The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the maintained version of the library and has no current mitigation other than to disable DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.

nvd логотип

CVE-2018-1311

CVSS3: 8.1
nvd
больше 5 лет назад

The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the maintained version of the library and has no current mitigation other than to disable DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.

msrc логотип

CVE-2018-1311

CVSS3: 8.1
msrc
больше 3 лет назад

Описание отсутствует

suse-cvrf логотип

openSUSE-SU-2021:2958-1

suse-cvrf
почти 4 года назад

Security update for xerces-c

EPSS

Процентиль: 88%
0.04171
Низкий