CVE-2019-15903

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2019-15903
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2019-09-04 06:15:00 UTC
Updated2023-11-07 03:05:00 UTC
DescriptionIn libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.

Risk And Classification

Problem Types: CWE-125 | CWE-776

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Libexpat Project Libexpat All All All All
Application Libexpat Project Libexpat All All All All
Application Python Python All All All All

References

ReferenceSourceLinkTags
xmlparse.c: Deny internal entities closing the doctype · libexpat/libexpat@c20b758 · GitHub MISC github.com Patch, Third Party Advisory
USN-4132-2: Expat vulnerability | Ubuntu security notices | Ubuntu UBUNTU usn.ubuntu.com
[security-announce] openSUSE-SU-2019:2452-1: important: Recommended upda SUSE lists.opensuse.org
Debian -- Security Information -- DSA-4571-1 thunderbird DEBIAN www.debian.org
USN-4202-1: Thunderbird vulnerabilities | Ubuntu security notices | Ubuntu UBUNTU usn.ubuntu.com
[security-announce] openSUSE-SU-2019:2204-1: moderate: Security update f SUSE lists.opensuse.org
About the security content of tvOS 13.3 - Apple Support CONFIRM support.apple.com
Bugtraq: APPLE-SA-2019-12-10-8 watchOS 6.1.1 BUGTRAQ seclists.org
[security-announce] openSUSE-SU-2019:2425-1: important: Security update SUSE lists.opensuse.org
Slackware Security Advisory - python Updates ≈ Packet Storm MISC packetstormsecurity.com
Full Disclosure: APPLE-SA-2019-12-10-3 macOS Catalina 10.15.2, Security Update 2019-002 Mojave, Security Update 2019-007 High Sierra FULLDISC seclists.org
[security-announce] openSUSE-SU-2019:2464-1: important: Recommended upda SUSE lists.opensuse.org
USN-4132-1: Expat vulnerability | Ubuntu security notices | Ubuntu UBUNTU usn.ubuntu.com
[CVE-2019-15903] Heap overflow in XML_GetCurrentLineNumber · Issue #317 · libexpat/libexpat · GitHub MISC github.com Exploit, Issue Tracking, Third Party Advisory
Debian -- Security Information -- DSA-4530-1 expat DEBIAN www.debian.org
[SECURITY] Fedora 31 Update: expat-2.2.8-1.fc31 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
Bugtraq: [SECURITY] [DSA 4530-1] expat security update BUGTRAQ seclists.org
About the security content of iCloud for Windows 7.16 (includes AAS 8.2) - Apple Support CONFIRM support.apple.com
[R1] Nessus 8.15.0 Fixes Multiple Vulnerabilities - Security Advisory | Tenable® CONFIRM www.tenable.com
[security-announce] openSUSE-SU-2020:0086-1: important: Security update SUSE lists.opensuse.org
Oracle Critical Patch Update Advisory - October 2020 MISC www.oracle.com
About the security content of iTunes 12.10.3 for Windows - Apple Support CONFIRM support.apple.com
About the security content of iCloud for Windows 10.9 - Apple Support CONFIRM support.apple.com
Slackware Security Advisory - mozilla-firefox Updates ≈ Packet Storm MISC packetstormsecurity.com
Bugtraq: [slackware-security] python (SSA:2019-293-01) BUGTRAQ seclists.org
USN-4165-1: Firefox vulnerabilities | Ubuntu security notices | Ubuntu UBUNTU usn.ubuntu.com
[security-announce] openSUSE-SU-2019:2459-1: important: Security update SUSE lists.opensuse.org
[CVE-2019-15903] Deny internal entities closing the doctype (for #317) by hartwork · Pull Request #318 · libexpat/libexpat · GitHub MISC github.com Issue Tracking, Patch, Third Party Advisory
[SECURITY] Fedora 30 Update: expat-2.2.8-1.fc30 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
About the security content of macOS Catalina 10.15.2, Security Update 2019-002 Mojave, Security Update 2019-007 High Sierra - Apple Support CONFIRM support.apple.com
Expat: Multiple vulnerabilities (GLSA 201911-08) — Gentoo security GENTOO security.gentoo.org
Bugtraq: [SECURITY] [DSA 4571-1] thunderbird security update BUGTRAQ seclists.org
Full Disclosure: APPLE-SA-2019-12-10-5 tvOS 13.3 FULLDISC seclists.org
[SECURITY] Fedora 29 Update: expat-2.2.8-1.fc29 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
Full Disclosure: APPLE-SA-2019-12-10-8 watchOS 6.1.1 FULLDISC seclists.org
USN-4335-1: Thunderbird vulnerabilities | Ubuntu security notices UBUNTU usn.ubuntu.com
[security-announce] openSUSE-SU-2019:2451-1: important: Security update SUSE lists.opensuse.org
Red Hat Customer Portal REDHAT access.redhat.com
[SECURITY] [DLA 1987-1] firefox-esr security update MLIST lists.debian.org
[SECURITY] Fedora 31 Update: expat-2.2.8-1.fc31 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
Full Disclosure: APPLE-SA-2019-12-10-1 iOS 13.3 and iPadOS 13.3 FULLDISC seclists.org
[SECURITY] Fedora 30 Update: expat-2.2.8-1.fc30 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
[SECURITY] Fedora 29 Update: expat-2.2.8-1.fc29 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
Bugtraq: [SECURITY] [DSA 4549-1] firefox-esr security update BUGTRAQ seclists.org
Bugtraq: [slackware-security] expat (SSA:2019-259-01) BUGTRAQ seclists.org
[security-announce] openSUSE-SU-2019:2420-1: important: Security update SUSE lists.opensuse.org
About the security content of watchOS 6.1.1 - Apple Support CONFIRM support.apple.com
Red Hat Customer Portal REDHAT access.redhat.com
[security-announce] openSUSE-SU-2019:2205-1: moderate: Security update f SUSE lists.opensuse.org
[SECURITY] [DLA 1997-1] thunderbird security update MLIST lists.debian.org
[security-announce] openSUSE-SU-2019:2424-1: important: Security update SUSE lists.opensuse.org
[security-announce] openSUSE-SU-2020:0010-1: important: Security update SUSE lists.opensuse.org
About the security content of iOS 13.3 and iPadOS 13.3 - Apple Support CONFIRM support.apple.com
CVE-2019-15903 Expat Vulnerability in NetApp Products | NetApp Product Security CONFIRM security.netapp.com
Oracle Critical Patch Update Advisory - April 2020 N/A www.oracle.com
Release Expat 2.2.8 · Issue #342 · libexpat/libexpat · GitHub CONFIRM github.com
Slackware Security Advisory - expat Updates ≈ Packet Storm MISC packetstormsecurity.com
Red Hat Customer Portal REDHAT access.redhat.com
Bugtraq: APPLE-SA-2019-12-10-3 macOS Catalina 10.15.2, Security Update 2019-002 Mojave, Security Update 2019-007 High Sierra BUGTRAQ seclists.org
[security-announce] openSUSE-SU-2019:2447-1: important: Security update SUSE lists.opensuse.org
Debian -- Security Information -- DSA-4549-1 firefox-esr DEBIAN www.debian.org
Bugtraq: APPLE-SA-2019-12-10-5 tvOS 13.3 BUGTRAQ seclists.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 296078 Oracle Solaris 11.4 Support Repository Update (SRU) 16.4.0 Missing (CPUOCT2019)
  • 296079 Oracle Solaris 11.4 Support Repository Update (SRU) 15.5.0 Missing (CPUOCT2019)
  • 375654 Tenable Nessus Multiple Vulnerabilities (TNS-2021-11)
  • 376403 F5 BIG-IP Application Security Manager (ASM), Local Traffic Manager (LTM), Access Policy Manager (APM) Expat Vulnerability (K05295469)
  • 377390 Alibaba Cloud Linux Security Update for expat (ALINUX3-SA-2022:0042)
  • 377519 Alibaba Cloud Linux Security Update for expat (ALINUX2-SA-2020:0139)
  • 500181 Alpine Linux Security Update for expat
  • 500587 Alpine Linux Security Update for python2
  • 500923 Alpine Linux Security Update for firefox-esr
  • 500944 Alpine Linux Security Update for firefox
  • 503829 Alpine Linux Security Update for firefox
  • 503913 Alpine Linux Security Update for expat
  • 591406 Siemens SIMATIC S7-1500 CPU GNU/Linux subsystem Multiple Vulnerabilities (SSB-439005, ICSA-22-104-13)
  • 710115 Gentoo Linux Expat Multiple vulnerabilities (GLSA 201911-08)
  • 730076 IBM MQ Appliance Denial of Service Vulnerability (6403285)
  • 770068 Red Hat OpenShift Container Platform 4.6 Security Update (RHSA-2021:0436)
  • 900404 Common Base Linux Mariner (CBL-Mariner) Security Update for expat (6265)
  • 940069 AlmaLinux Security Update for expat (ALSA-2020:4484)
  • 960835 Rocky Linux Security Update for expat (RLSA-2020:4484)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report