CVE-2011-1202: Infoleak
First published: Tue Feb 22 2011(Updated: )
The xsltGenerateIdFunction function in functions.c in libxslt 1.1.26 and earlier, as used in Google Chrome before 10.0.648.127 and other products, allows remote attackers to obtain potentially sensitive information about heap memory addresses via an XML document containing a call to the XSLT generate-id XPath function.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/firefox | <0:3.6.17-2.el4 | 0:3.6.17-2.el4 |
| redhat/firefox | <0:3.6.17-1.el5_6 | 0:3.6.17-1.el5_6 |
| redhat/xulrunner | <0:1.9.2.17-3.el5_6 | 0:1.9.2.17-3.el5_6 |
| redhat/libxslt | <0:1.1.17-4.el5_8.3 | 0:1.1.17-4.el5_8.3 |
| redhat/firefox | <0:3.6.17-1.el6_0 | 0:3.6.17-1.el6_0 |
| redhat/xulrunner | <0:1.9.2.17-4.el6_0 | 0:1.9.2.17-4.el6_0 |
| redhat/libxslt | <0:1.1.26-2.el6_3.1 | 0:1.1.26-2.el6_3.1 |
| libxslt | <=1.1.26 | |
| Google Chrome (Trace Event) | <10.0.648.127 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://code.google.com/p/chromium/issues/detail?id=73716
- http://googlechromereleases.blogspot.com/2011/03/chrome-stable-release.html
- http://www.securityfocus.com/bid/46785
- http://www.vupen.com/english/advisories/2011/0628
- http://git.gnome.org/browse/libxslt/commit/?id=ecb6bcb8d1b7e44842edde3929f412d46b40c89f
- http://scarybeastsecurity.blogspot.com/2011/03/multi-browser-heap-address-leak-in-xslt.html
- https://bugzilla.redhat.com/show_bug.cgi?id=684386
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:079
- http://www.mandriva.com/security/advisories?name=MDVSA-2012:164
- http://downloads.avaya.com/css/P8/documents/100144158
- https://exchange.xforce.ibmcloud.com/vulnerabilities/65966
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14244
- https://access.redhat.com/security/cve/CVE-2011-1202
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=684388
- https://rhn.redhat.com/errata/RHSA-2011-0471.html
- https://rhn.redhat.com/errata/RHSA-2012-1265.html
- https://www.cve.org/CVERecord?id=CVE-2011-1202 https://nvd.nist.gov/vuln/detail/CVE-2011-1202
- https://access.redhat.com/errata/RHSA-2011:0471
- https://access.redhat.com/errata/RHSA-2012:1265
Frequently Asked Questions
What is the severity of CVE-2011-1202?
CVE-2011-1202 is classified as a high severity vulnerability that allows remote attackers to access sensitive heap memory information.
How do I fix CVE-2011-1202?
To fix CVE-2011-1202, you should update to the latest versions of affected packages such as libxslt, Firefox, or Google Chrome.
Which products are affected by CVE-2011-1202?
CVE-2011-1202 affects libxslt versions up to 1.1.26, Google Chrome versions before 10.0.648.127, and certain versions of Firefox.
Is CVE-2011-1202 exploitable remotely?
Yes, CVE-2011-1202 can be exploited remotely via specially crafted XML documents.
What types of information can be leaked due to CVE-2011-1202?
CVE-2011-1202 can leak potentially sensitive information about heap memory addresses.
- collector/redhat-cve
- agent/type
- agent/remedy
- agent/first-publish-date
- agent/references
- agent/severity
- agent/weakness
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2011-1202
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/redhat
- vendor/xmlsoft
- canonical/libxslt
- version/libxslt/1.1.26
- vendor/google
- canonical/google chrome (trace event)