CVE-2019-15903
First published: Wed Sep 04 2019(Updated: )
In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.
Credit: Joonun Jang cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jbcs-httpd24-curl | <0:7.64.1-36.jbcs.el6 | 0:7.64.1-36.jbcs.el6 |
| redhat/jbcs-httpd24-httpd | <0:2.4.37-57.jbcs.el6 | 0:2.4.37-57.jbcs.el6 |
| redhat/jbcs-httpd24-nghttp2 | <0:1.39.2-25.jbcs.el6 | 0:1.39.2-25.jbcs.el6 |
| redhat/jbcs-httpd24-curl | <0:7.64.1-36.jbcs.el7 | 0:7.64.1-36.jbcs.el7 |
| redhat/jbcs-httpd24-httpd | <0:2.4.37-57.jbcs.el7 | 0:2.4.37-57.jbcs.el7 |
| redhat/jbcs-httpd24-nghttp2 | <0:1.39.2-25.jbcs.el7 | 0:1.39.2-25.jbcs.el7 |
| redhat/jbcs-httpd24-openssl-pkcs11 | <0:0.4.10-7.jbcs.el7 | 0:0.4.10-7.jbcs.el7 |
| redhat/thunderbird | <0:68.2.0-2.el6_10 | 0:68.2.0-2.el6_10 |
| redhat/firefox | <0:68.2.0-1.el7_7 | 0:68.2.0-1.el7_7 |
| redhat/thunderbird | <0:68.2.0-1.el7_7 | 0:68.2.0-1.el7_7 |
| redhat/expat | <0:2.1.0-12.el7 | 0:2.1.0-12.el7 |
| redhat/firefox | <0:68.2.0-2.el8_0 | 0:68.2.0-2.el8_0 |
| redhat/thunderbird | <0:68.2.0-1.el8_0 | 0:68.2.0-1.el8_0 |
| redhat/expat | <0:2.2.5-4.el8 | 0:2.2.5-4.el8 |
| debian/expat | <=2.2.0-2+deb9u2<=2.2.0-1<=2.2.6-2<=2.2.7-1 | 2.2.7-2 2.2.6-2+deb10u1 2.2.0-2+deb9u3 |
| redhat/expat | <2.2.8 | 2.2.8 |
| redhat/firefox | <68.2 | 68.2 |
| redhat/thunderbird | <68.2 | 68.2 |
| tvOS | <13.3 | 13.3 |
| macOS Catalina | <10.15.2 | 10.15.2 |
| macOS Mojave | ||
| macOS High Sierra | ||
| Apple iOS, iPadOS, and watchOS | <6.1.1 | 6.1.1 |
| Apple iCloud | <7.16 | 7.16 |
| Apple iCloud | <10.9 | 10.9 |
| IBM Rational DOORS Next Generation | <=6.0.2 | |
| IBM Rational DOORS Next Generation | <=6.0.6.1 | |
| IBM Rational DOORS Next Generation | <=6.0.6 | |
| IBM Rational DOORS Next Generation | <=7.0 | |
| Thunderbird | <68.2 | 68.2 |
| Libexpat | <2.2.8 | |
| Python 2.7 | >=2.7.0<2.7.17 | |
| Python 2.7 | >=3.5.0<3.5.8 | |
| Python 2.7 | >=3.6.0<3.6.10 | |
| Python 2.7 | >=3.7.0<3.7.5 | |
| Firefox ESR | <68.2 | 68.2 |
| Firefox | <70 | 70 |
| iTunes | <12.10.3 | 12.10.3 |
| Apple iOS and iPadOS | <13.3 | 13.3 |
| Apple iOS, iPadOS, and macOS | <13.3 | 13.3 |
| debian/chromium | 120.0.6099.224-1~deb11u1 134.0.6998.35-1~deb12u1 135.0.7049.95-1~deb12u1 135.0.7049.95-1 135.0.7049.114-1 | |
| debian/expat | 2.2.10-2+deb11u5 2.2.10-2+deb11u6 2.5.0-1+deb12u1 2.7.1-1 | |
| debian/firefox | 137.0.2-1 | |
| debian/firefox-esr | 115.14.0esr-1~deb11u1 128.9.0esr-1~deb11u1 128.8.0esr-1~deb12u1 128.9.0esr-1~deb12u1 128.9.0esr-2 | |
| debian/thunderbird | 1:115.12.0-1~deb11u1 1:128.9.0esr-1~deb11u1 1:128.8.0esr-1~deb12u1 1:128.9.0esr-1~deb12u1 1:128.9.0esr-1 |
Remedy
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2019-15903 https://nvd.nist.gov/vuln/detail/CVE-2019-15903
- https://bugzilla.redhat.com/show_bug.cgi?id=1752592
- https://access.redhat.com/errata/RHSA-2020:2644
- https://access.redhat.com/errata/RHSA-2019:3756
- https://access.redhat.com/errata/RHSA-2019:3193
- https://access.redhat.com/errata/RHSA-2019:3210
- https://access.redhat.com/errata/RHSA-2020:3952
- https://access.redhat.com/errata/RHSA-2019:3196
- https://access.redhat.com/errata/RHSA-2019:3237
- https://access.redhat.com/errata/RHSA-2020:4484
- https://access.redhat.com/errata/RHSA-2020:2646
- https://access.redhat.com/security/cve/cve-2019-15903
- https://github.com/libexpat/libexpat/issues/317
- https://security-tracker.debian.org/tracker/CVE-2019-15903
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15903
- https://github.com/libexpat/libexpat/pull/318
- https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939394
- https://usn.ubuntu.com/4132-1/
- https://github.com/libexpat/libexpat/issues/342
- https://seclists.org/bugtraq/2019/Sep/30
- http://packetstormsecurity.com/files/154503/Slackware-Security-Advisory-expat-Updates.html
- https://usn.ubuntu.com/4132-2/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BDUTI5TVQWIGGQXPEVI4T2ENHFSBMIBP/
- https://www.debian.org/security/2019/dsa-4530
- https://seclists.org/bugtraq/2019/Sep/37
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A4TZKPJFTURRLXIGLB34WVKQ5HGY6JJA/
- https://security.netapp.com/advisory/ntap-20190926-0004/
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00080.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00081.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S26LGXXQ7YF2BP3RGOWELBFKM6BHF6UG/
- https://seclists.org/bugtraq/2019/Oct/29
- http://packetstormsecurity.com/files/154927/Slackware-Security-Advisory-python-Updates.html
- http://packetstormsecurity.com/files/154947/Slackware-Security-Advisory-mozilla-firefox-Updates.html
- https://usn.ubuntu.com/4165-1/
- https://www.debian.org/security/2019/dsa-4549
- https://seclists.org/bugtraq/2019/Nov/1
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00003.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00013.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00016.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00018.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00017.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00019.html
- https://lists.debian.org/debian-lts-announce/2019/11/msg00006.html
- https://seclists.org/bugtraq/2019/Nov/24
- https://www.debian.org/security/2019/dsa-4571
- https://lists.debian.org/debian-lts-announce/2019/11/msg00017.html
- https://security.gentoo.org/glsa/201911-08
- https://usn.ubuntu.com/4202-1/
- https://support.apple.com/kb/HT210785
- https://support.apple.com/kb/HT210788
- https://support.apple.com/kb/HT210789
- https://support.apple.com/kb/HT210790
- https://seclists.org/bugtraq/2019/Dec/23
- https://seclists.org/bugtraq/2019/Dec/21
- https://seclists.org/bugtraq/2019/Dec/17
- https://support.apple.com/kb/HT210793
- https://support.apple.com/kb/HT210795
- https://support.apple.com/kb/HT210794
- http://seclists.org/fulldisclosure/2019/Dec/23
- http://seclists.org/fulldisclosure/2019/Dec/26
- http://seclists.org/fulldisclosure/2019/Dec/27
- http://seclists.org/fulldisclosure/2019/Dec/30
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00008.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://usn.ubuntu.com/4335-1/
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.tenable.com/security/tns-2021-11
- https://launchpad.net/bugs/cve/CVE-2019-15903
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1752596
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1752597
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1752598
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BDUTI5TVQWIGGQXPEVI4T2ENHFSBMIBP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A4TZKPJFTURRLXIGLB34WVKQ5HGY6JJA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S26LGXXQ7YF2BP3RGOWELBFKM6BHF6UG/
- https://nvd.nist.gov/vuln/detail/CVE-2019-15903
- https://ubuntu.com/security/CVE-2019-15903
- https://support.apple.com/en-us/HT210790 (Advisory)
- https://support.apple.com/en-us/HT210788 (Advisory)
- https://support.apple.com/en-us/HT210785 (Advisory)
- https://support.apple.com/en-us/HT210789 (Advisory)
- https://support.apple.com/en-us/HT210795 (Advisory)
- https://support.apple.com/en-us/HT210794 (Advisory)
- https://support.apple.com/en-us/HT210793 (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/166560
- https://www.ibm.com/support/pages/node/6235162 (Advisory)
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-34/#CVE-2019-15903
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-33/#CVE-2019-15903
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-35/#CVE-2019-15903
- https://bugzilla.mozilla.org/show_bug.cgi?id=1584907
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-33/
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-35/
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-34/
Parent vulnerabilities
(Appears in the following advisories)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- CVE-2019-8834
- CVE-2019-8848
- CVE-2019-8830
- CVE-2019-8833
- CVE-2019-8828
- CVE-2019-8838
- CVE-2019-15903
- CVE-2019-15161
- CVE-2019-15162
- CVE-2019-15163
- CVE-2019-15164
- CVE-2019-15165
- CVE-2019-8832
- CVE-2019-8898
- CVE-2019-8835
- CVE-2019-8844
- CVE-2019-8846
- CVE-2019-8837
- CVE-2019-8853
- CVE-2019-8856
- CVE-2019-8842
- CVE-2019-8839
- CVE-2019-8851
- CVE-2019-8847
- CVE-2019-8852
- CVE-2020-9782
- CVE-2012-1164
- CVE-2012-2668
- CVE-2013-4449
- CVE-2015-1545
- CVE-2019-13057
- CVE-2019-13565
- CVE-2017-16808
- CVE-2018-10103
- CVE-2018-10105
- CVE-2018-14461
- CVE-2018-14462
- CVE-2018-14463
- CVE-2018-14464
- CVE-2018-14465
- CVE-2018-14466
- CVE-2018-14467
- CVE-2018-14468
- CVE-2018-14469
- CVE-2018-14470
- CVE-2018-14879
- CVE-2018-14880
- CVE-2018-14881
- CVE-2018-14882
- CVE-2018-16227
- CVE-2018-16228
- CVE-2018-16229
- CVE-2018-16230
- CVE-2018-16300
- CVE-2018-16301
- CVE-2018-16451
- CVE-2018-16452
- CVE-2019-15166
- CVE-2019-15167
- CVE-2019-15126
- CVE-2019-11757
- CVE-2019-11758
- CVE-2019-11759
- CVE-2019-11760
- CVE-2019-11761
- CVE-2019-11762
- CVE-2019-11763
- CVE-2019-11764
- CVE-2018-6156
- CVE-2019-25136
- CVE-2020-12412
- CVE-2019-11765
- CVE-2019-17000
- CVE-2019-17001
- CVE-2019-17002
- CVE-2019-8841
- CVE-2019-8857
Frequently Asked Questions
What is CVE-2019-15903?
CVE-2019-15903 is a vulnerability in libexpat before version 2.2.8 that could result in a heap-based buffer over-read.
Which software products are affected by CVE-2019-15903?
Mozilla Firefox ESR versions up to 68.2, Mozilla Thunderbird versions up to 68.2, and Mozilla Firefox versions up to 70 are affected by CVE-2019-15903. Additionally, the expat package versions up to 2.2.8 are also affected.
What is the severity of CVE-2019-15903?
CVE-2019-15903 has a severity rating of high.
How can I fix CVE-2019-15903?
To fix CVE-2019-15903, update to expat version 2.2.8. For Mozilla products, update to the respective patched versions mentioned in the Mozilla security advisories.
Where can I find more information about CVE-2019-15903?
You can find more information about CVE-2019-15903 in the provided references: [1], [2], [3].
- collector/redhat-cve
- collector/debian-bugs
- alias/CVE-2019-15903
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/remedy
- agent/severity
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/trending
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- agent/description
- agent/source
- collector/apple-support
- agent/software-canonical-lookup-request
- agent/author
- collector/ibm-support
- source/IBM
- agent/references
- collector/mozilla-advisory
- source/Mozilla
- collector/nvd-cve
- source/NVD
- collector/nvd-index
- agent/event
- agent/tags
- agent/softwarecombine
- collector/security-tracker-debian
- source/Debian
- package-manager/redhat
- package-manager/debian
- vendor/apple
- canonical/tvos
- canonical/macos catalina
- canonical/macos mojave
- canonical/macos high sierra
- canonical/apple ios, ipados, and watchos
- canonical/apple icloud
- vendor/ibm
- canonical/ibm rational doors next generation
- version/ibm rational doors next generation/6.0.2
- version/ibm rational doors next generation/6.0.6.1
- version/ibm rational doors next generation/6.0.6
- version/ibm rational doors next generation/7.0
- vendor/mozilla
- canonical/thunderbird
- vendor/libexpat project
- canonical/libexpat
- vendor/python
- canonical/python 2.7
- version/python 2.7/2.7.0
- version/python 2.7/3.5.0
- version/python 2.7/3.6.0
- version/python 2.7/3.7.0
- canonical/firefox esr
- canonical/firefox
- canonical/itunes
- canonical/apple ios and ipados
- canonical/apple ios, ipados, and macos