CVE-2018-1311

EUVD-2018-11912
The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the maintained version of the library and has no current mitigation other than to disable DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.1 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 88%
Affected Products (NVD)
VendorProductVersion
apachexerces-c\+\+
3.0.0 ≤
𝑥
< 3.2.5
redhatenterprise_linux_desktop
6.0
redhatenterprise_linux_desktop
7.0
redhatenterprise_linux_eus
7.7
redhatenterprise_linux_server
6.0
redhatenterprise_linux_server
7.0
redhatenterprise_linux_server_aus
7.7
redhatenterprise_linux_server_tus
7.7
redhatenterprise_linux_workstation
6.0
redhatenterprise_linux_workstation
7.0
debiandebian_linux
9.0
debiandebian_linux
10.0
oraclegoldengate
𝑥
< 21.4.0.0.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
xerces-c
bookworm
3.2.4+debian-1
fixed
bullseye
3.2.3+debian-3+deb11u1
fixed
jessie
postponed
sid
3.2.4+debian-1.3
fixed
trixie
3.2.4+debian-1.3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
xerces-c
bionic
Fixed 3.2.0+debian-2ubuntu0.1~esm2
released
disco
ignored
eoan
ignored
focal
Fixed 3.2.2+debian-1ubuntu0.1
released
groovy
ignored
hirsute
ignored
impish
ignored
jammy
Fixed 3.2.3+debian-3ubuntu0.1
released
kinetic
ignored
lunar
Fixed 3.2.4+debian-1ubuntu0.23.04.1
released
mantic
Fixed 3.2.4+debian-1ubuntu0.23.10.1
released
trusty
Fixed 3.1.1-5.1+deb8u4ubuntu0.1~esm1
released
xenial
Fixed 3.1.3+debian-1ubuntu0.1~esm2
released
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2024/02/16/1
https://access.redhat.com/errata/RHSA-2020:0702
https://access.redhat.com/errata/RHSA-2020:0704
https://lists.apache.org/thread.html/r48ea463fde218b1e4cc1a1d05770a0cea34de0600b4355315a49226b%40%3Cc-dev.xerces.apache.org%3E
https://lists.apache.org/thread.html/r90ec105571622a7dc3a43b846c12732d2e563561dfb2f72941625f35%40%3Cc-users.xerces.apache.org%3E
https://lists.apache.org/thread.html/rabbcc0249de1dda70cda96fd9bcff78217be7a57d96e7dcc8cd96646%40%3Cc-users.xerces.apache.org%3E
https://lists.apache.org/thread.html/rfeb8abe36bcca91eb603deef49fbbe46870918830a66328a780b8625%40%3Cc-users.xerces.apache.org%3E
https://lists.debian.org/debian-lts-announce/2020/12/msg00025.html
https://lists.debian.org/debian-lts-announce/2023/12/msg00027.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7A6WWL4SWKAVYK6VK5YN7KZP4MZWC7IY/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AJYZUBGPVWJ7LEHRCMB5XVADQBNGURXD/
https://marc.info/?l=xerces-c-users&m=157653840106914&w=2
https://www.debian.org/security/2020/dsa-4814
https://www.oracle.com/security-alerts/cpujan2022.html
http://www.openwall.com/lists/oss-security/2024/02/16/1
https://access.redhat.com/errata/RHSA-2020:0702
https://access.redhat.com/errata/RHSA-2020:0704
https://lists.apache.org/thread.html/r48ea463fde218b1e4cc1a1d05770a0cea34de0600b4355315a49226b%40%3Cc-dev.xerces.apache.org%3E
https://lists.apache.org/thread.html/r90ec105571622a7dc3a43b846c12732d2e563561dfb2f72941625f35%40%3Cc-users.xerces.apache.org%3E
https://lists.apache.org/thread.html/rabbcc0249de1dda70cda96fd9bcff78217be7a57d96e7dcc8cd96646%40%3Cc-users.xerces.apache.org%3E
https://lists.apache.org/thread.html/rfeb8abe36bcca91eb603deef49fbbe46870918830a66328a780b8625%40%3Cc-users.xerces.apache.org%3E
https://lists.debian.org/debian-lts-announce/2020/12/msg00025.html
https://lists.debian.org/debian-lts-announce/2023/12/msg00027.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7A6WWL4SWKAVYK6VK5YN7KZP4MZWC7IY/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AJYZUBGPVWJ7LEHRCMB5XVADQBNGURXD/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AJYZUBGPVWJ7LEHRCMB5XVADQBNGURXD/
https://marc.info/?l=xerces-c-users&m=157653840106914&w=2
https://www.debian.org/security/2020/dsa-4814
https://www.oracle.com/security-alerts/cpujan2022.html