CVE-2019-15903
First published: Wed Sep 04 2019(Updated: )
In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.
Credit: Joonun Jang Joonun Jang Joonun Jang Joonun Jang Joonun Jang Joonun Jang Joonun Jang cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jbcs-httpd24-curl | <0:7.64.1-36.jbcs.el6 | 0:7.64.1-36.jbcs.el6 |
| redhat/jbcs-httpd24-httpd | <0:2.4.37-57.jbcs.el6 | 0:2.4.37-57.jbcs.el6 |
| redhat/jbcs-httpd24-nghttp2 | <0:1.39.2-25.jbcs.el6 | 0:1.39.2-25.jbcs.el6 |
| redhat/jbcs-httpd24-curl | <0:7.64.1-36.jbcs.el7 | 0:7.64.1-36.jbcs.el7 |
| redhat/jbcs-httpd24-httpd | <0:2.4.37-57.jbcs.el7 | 0:2.4.37-57.jbcs.el7 |
| redhat/jbcs-httpd24-nghttp2 | <0:1.39.2-25.jbcs.el7 | 0:1.39.2-25.jbcs.el7 |
| redhat/jbcs-httpd24-openssl-pkcs11 | <0:0.4.10-7.jbcs.el7 | 0:0.4.10-7.jbcs.el7 |
| redhat/thunderbird | <0:68.2.0-2.el6_10 | 0:68.2.0-2.el6_10 |
| redhat/firefox | <0:68.2.0-1.el7_7 | 0:68.2.0-1.el7_7 |
| redhat/thunderbird | <0:68.2.0-1.el7_7 | 0:68.2.0-1.el7_7 |
| redhat/expat | <0:2.1.0-12.el7 | 0:2.1.0-12.el7 |
| redhat/firefox | <0:68.2.0-2.el8_0 | 0:68.2.0-2.el8_0 |
| redhat/thunderbird | <0:68.2.0-1.el8_0 | 0:68.2.0-1.el8_0 |
| redhat/expat | <0:2.2.5-4.el8 | 0:2.2.5-4.el8 |
| Apple iCloud for Windows | <10.9 | 10.9 |
| Apple iCloud for Windows | <7.16 | 7.16 |
| debian/expat | <=2.2.0-2+deb9u2<=2.2.0-1<=2.2.6-2<=2.2.7-1 | 2.2.7-2 2.2.6-2+deb10u1 2.2.0-2+deb9u3 |
| Apple iTunes for Windows | <12.10.3 | 12.10.3 |
| Libexpat Project Libexpat | <2.2.8 | |
| Python Python | >=2.7.0<2.7.17 | |
| Python Python | >=3.5.0<3.5.8 | |
| Python Python | >=3.6.0<3.6.10 | |
| Python Python | >=3.7.0<3.7.5 | |
| Apple watchOS | <6.1.1 | 6.1.1 |
| Apple macOS Catalina | <10.15.2 | 10.15.2 |
| Apple Mojave | ||
| Apple High Sierra | ||
| Apple tvOS | <13.3 | 13.3 |
| Mozilla Thunderbird | <68.2 | 68.2 |
| Mozilla Firefox ESR | <68.2 | 68.2 |
| Mozilla Firefox | <70 | 70 |
| Apple iOS | <13.3 | 13.3 |
| Apple iPadOS | <13.3 | 13.3 |
| redhat/expat | <2.2.8 | 2.2.8 |
| redhat/firefox | <68.2 | 68.2 |
| redhat/thunderbird | <68.2 | 68.2 |
| IBM RDNG | <=6.0.2 | |
| IBM RDNG | <=6.0.6.1 | |
| IBM RDNG | <=6.0.6 | |
| IBM DOORS Next | <=7.0 | |
| debian/chromium | 120.0.6099.224-1~deb11u1 128.0.6613.84-1~deb12u1 130.0.6723.69-1~deb12u1 129.0.6668.89-1 130.0.6723.91-1 | |
| debian/expat | 2.2.10-2+deb11u5 2.2.10-2+deb11u6 2.5.0-1 2.5.0-1+deb12u1 2.6.3-2 | |
| debian/firefox | 132.0-1 | |
| debian/firefox-esr | 115.14.0esr-1~deb11u1 128.4.0esr-1~deb11u1 115.14.0esr-1~deb12u1 128.4.0esr-1~deb12u1 128.3.1esr-2 128.4.0esr-1 | |
| debian/thunderbird | 1:115.12.0-1~deb11u1 1:128.4.0esr-1~deb11u1 1:115.12.0-1~deb12u1 1:115.16.0esr-1~deb12u1 1:128.3.2esr-1 1:128.4.0esr-1 |
Remedy
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2019-15903 https://nvd.nist.gov/vuln/detail/CVE-2019-15903
- https://bugzilla.redhat.com/show_bug.cgi?id=1752592
- https://access.redhat.com/errata/RHSA-2020:2644
- https://access.redhat.com/errata/RHSA-2019:3756
- https://access.redhat.com/errata/RHSA-2019:3193
- https://access.redhat.com/errata/RHSA-2019:3210
- https://access.redhat.com/errata/RHSA-2020:3952
- https://access.redhat.com/errata/RHSA-2019:3196
- https://access.redhat.com/errata/RHSA-2019:3237
- https://access.redhat.com/errata/RHSA-2020:4484
- https://access.redhat.com/errata/RHSA-2020:2646
- https://access.redhat.com/security/cve/cve-2019-15903
- https://support.apple.com/en-us/HT210794 (Advisory)
- https://support.apple.com/en-us/HT210795 (Advisory)
- https://github.com/libexpat/libexpat/issues/317
- https://security-tracker.debian.org/tracker/CVE-2019-15903
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15903
- https://github.com/libexpat/libexpat/pull/318
- https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939394
- https://support.apple.com/en-us/HT210793 (Advisory)
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00080.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00081.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00003.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00013.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00016.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00017.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00018.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00019.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00008.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
- http://packetstormsecurity.com/files/154503/Slackware-Security-Advisory-expat-Updates.html
- http://packetstormsecurity.com/files/154927/Slackware-Security-Advisory-python-Updates.html
- http://packetstormsecurity.com/files/154947/Slackware-Security-Advisory-mozilla-firefox-Updates.html
- http://seclists.org/fulldisclosure/2019/Dec/23
- http://seclists.org/fulldisclosure/2019/Dec/26
- http://seclists.org/fulldisclosure/2019/Dec/27
- http://seclists.org/fulldisclosure/2019/Dec/30
- https://github.com/libexpat/libexpat/issues/342
- https://lists.debian.org/debian-lts-announce/2019/11/msg00006.html
- https://lists.debian.org/debian-lts-announce/2019/11/msg00017.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A4TZKPJFTURRLXIGLB34WVKQ5HGY6JJA/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BDUTI5TVQWIGGQXPEVI4T2ENHFSBMIBP/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S26LGXXQ7YF2BP3RGOWELBFKM6BHF6UG/
- https://seclists.org/bugtraq/2019/Dec/17
- https://seclists.org/bugtraq/2019/Dec/21
- https://seclists.org/bugtraq/2019/Dec/23
- https://seclists.org/bugtraq/2019/Nov/1
- https://seclists.org/bugtraq/2019/Nov/24
- https://seclists.org/bugtraq/2019/Oct/29
- https://seclists.org/bugtraq/2019/Sep/30
- https://seclists.org/bugtraq/2019/Sep/37
- https://security.gentoo.org/glsa/201911-08
- https://security.netapp.com/advisory/ntap-20190926-0004/
- https://support.apple.com/kb/HT210785
- https://support.apple.com/kb/HT210788
- https://support.apple.com/kb/HT210789
- https://support.apple.com/kb/HT210790
- https://support.apple.com/kb/HT210793
- https://support.apple.com/kb/HT210794
- https://support.apple.com/kb/HT210795
- https://usn.ubuntu.com/4132-1/
- https://usn.ubuntu.com/4132-2/
- https://usn.ubuntu.com/4165-1/
- https://usn.ubuntu.com/4202-1/
- https://usn.ubuntu.com/4335-1/
- https://www.debian.org/security/2019/dsa-4530
- https://www.debian.org/security/2019/dsa-4549
- https://www.debian.org/security/2019/dsa-4571
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.tenable.com/security/tns-2021-11
- https://launchpad.net/bugs/cve/CVE-2019-15903
- https://support.apple.com/en-us/HT210789 (Advisory)
- https://support.apple.com/en-us/HT210788 (Advisory)
- https://support.apple.com/en-us/HT210790 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A4TZKPJFTURRLXIGLB34WVKQ5HGY6JJA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BDUTI5TVQWIGGQXPEVI4T2ENHFSBMIBP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S26LGXXQ7YF2BP3RGOWELBFKM6BHF6UG/
- https://bugzilla.mozilla.org/show_bug.cgi?id=1584907
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-35/
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-33/
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-33/#CVE-2019-11764
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-34/
- https://support.apple.com/en-us/HT210785 (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1752596
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1752597
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1752598
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://exchange.xforce.ibmcloud.com/vulnerabilities/166560
- https://www.ibm.com/support/pages/node/6235162 (Advisory)
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-34/#CVE-2019-15903
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-33/#CVE-2019-15903
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-35/#CVE-2019-15903
- https://nvd.nist.gov/vuln/detail/CVE-2019-15903
- https://ubuntu.com/security/CVE-2019-15903
Parent vulnerabilities
(Appears in the following advisories)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- CVE-2019-8834
- CVE-2019-8848
- CVE-2019-15903
- CVE-2019-8835
- CVE-2019-8844
- CVE-2019-8846
- CVE-2019-8898
- CVE-2019-8856
- CVE-2019-8830
- CVE-2019-8833
- CVE-2019-8828
- CVE-2019-8838
- CVE-2019-15161
- CVE-2019-15162
- CVE-2019-15163
- CVE-2019-15164
- CVE-2019-15165
- CVE-2019-8832
- CVE-2019-8837
- CVE-2019-8853
- CVE-2019-8842
- CVE-2019-8839
- CVE-2019-8851
- CVE-2019-8847
- CVE-2019-8852
- CVE-2020-9782
- CVE-2012-1164
- CVE-2012-2668
- CVE-2013-4449
- CVE-2015-1545
- CVE-2019-13057
- CVE-2019-13565
- CVE-2017-16808
- CVE-2018-10103
- CVE-2018-10105
- CVE-2018-14461
- CVE-2018-14462
- CVE-2018-14463
- CVE-2018-14464
- CVE-2018-14465
- CVE-2018-14466
- CVE-2018-14467
- CVE-2018-14468
- CVE-2018-14469
- CVE-2018-14470
- CVE-2018-14879
- CVE-2018-14880
- CVE-2018-14881
- CVE-2018-14882
- CVE-2018-16227
- CVE-2018-16228
- CVE-2018-16229
- CVE-2018-16230
- CVE-2018-16300
- CVE-2018-16301
- CVE-2018-16451
- CVE-2018-16452
- CVE-2019-15166
- CVE-2019-15167
- CVE-2019-15126
- CVE-2019-11757
- CVE-2019-11758
- CVE-2019-11759
- CVE-2019-11760
- CVE-2019-11761
- CVE-2019-11762
- CVE-2019-11763
- CVE-2019-11764
- CVE-2018-6156
- CVE-2019-25136
- CVE-2020-12412
- CVE-2019-11765
- CVE-2019-17000
- CVE-2019-17001
- CVE-2019-17002
- CVE-2019-8841
- CVE-2019-8857
Frequently Asked Questions
What is CVE-2019-15903?
CVE-2019-15903 is a vulnerability in libexpat before version 2.2.8 that could result in a heap-based buffer over-read.
Which software products are affected by CVE-2019-15903?
Mozilla Firefox ESR versions up to 68.2, Mozilla Thunderbird versions up to 68.2, and Mozilla Firefox versions up to 70 are affected by CVE-2019-15903. Additionally, the expat package versions up to 2.2.8 are also affected.
What is the severity of CVE-2019-15903?
CVE-2019-15903 has a severity rating of high.
How can I fix CVE-2019-15903?
To fix CVE-2019-15903, update to expat version 2.2.8. For Mozilla products, update to the respective patched versions mentioned in the Mozilla security advisories.
Where can I find more information about CVE-2019-15903?
You can find more information about CVE-2019-15903 in the provided references: [1], [2], [3].
- collector/redhat-cve
- collector/apple-support
- collector/debian-bugs
- alias/CVE-2019-15903
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/software-canonical-lookup-request
- agent/remedy
- agent/severity
- agent/author
- agent/weakness
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/mozilla-advisory
- source/Mozilla
- agent/description
- agent/references
- collector/redhat-bugzilla
- source/Red Hat
- collector/ibm-support
- source/IBM
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- package-manager/redhat
- vendor/apple
- canonical/apple icloud for windows
- package-manager/debian
- canonical/apple itunes for windows
- vendor/libexpat project
- canonical/libexpat project libexpat
- vendor/python
- canonical/python python
- version/python python/2.7.0
- version/python python/3.5.0
- version/python python/3.6.0
- version/python python/3.7.0
- canonical/apple watchos
- canonical/apple macos catalina
- canonical/apple mojave
- canonical/apple high sierra
- canonical/apple tvos
- vendor/mozilla
- canonical/mozilla thunderbird
- canonical/mozilla firefox esr
- canonical/mozilla firefox
- canonical/apple ios
- canonical/apple ipados
- vendor/ibm
- canonical/ibm rdng
- version/ibm rdng/6.0.2
- version/ibm rdng/6.0.6.1
- version/ibm rdng/6.0.6
- canonical/ibm doors next
- version/ibm doors next/7.0