CVE-2018-1311

The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the maintained version of the library and has no current mitigation other than to disable DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.1 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
apacheCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 88%
VendorProductVersion
apachexerces-c\+\+
3.0.0 ≤
𝑥
< 3.2.5
redhatenterprise_linux_desktop
6.0
redhatenterprise_linux_desktop
7.0
redhatenterprise_linux_eus
7.7
redhatenterprise_linux_server
6.0
redhatenterprise_linux_server
7.0
redhatenterprise_linux_server_aus
7.7
redhatenterprise_linux_server_tus
7.7
redhatenterprise_linux_workstation
6.0
redhatenterprise_linux_workstation
7.0
debiandebian_linux
9.0
debiandebian_linux
10.0
oraclegoldengate
𝑥
< 21.4.0.0.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
xerces-c
bullseye
3.2.3+debian-3+deb11u1
fixed
jessie
postponed
bookworm
3.2.4+debian-1
fixed
sid
3.2.4+debian-1.3
fixed
trixie
3.2.4+debian-1.3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
xerces-c
mantic
Fixed 3.2.4+debian-1ubuntu0.23.10.1
released
lunar
Fixed 3.2.4+debian-1ubuntu0.23.04.1
released
kinetic
ignored
jammy
Fixed 3.2.3+debian-3ubuntu0.1
released
impish
ignored
hirsute
ignored
groovy
ignored
focal
Fixed 3.2.2+debian-1ubuntu0.1
released
eoan
ignored
disco
ignored
bionic
Fixed 3.2.0+debian-2ubuntu0.1~esm2
released
xenial
Fixed 3.1.3+debian-1ubuntu0.1~esm2
released
trusty
Fixed 3.1.1-5.1+deb8u4ubuntu0.1~esm1
released
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2024/02/16/1
https://access.redhat.com/errata/RHSA-2020:0702
https://access.redhat.com/errata/RHSA-2020:0704
https://lists.apache.org/thread.html/r48ea463fde218b1e4cc1a1d05770a0cea34de0600b4355315a49226b%40%3Cc-dev.xerces.apache.org%3E
https://lists.apache.org/thread.html/r90ec105571622a7dc3a43b846c12732d2e563561dfb2f72941625f35%40%3Cc-users.xerces.apache.org%3E
https://lists.apache.org/thread.html/rabbcc0249de1dda70cda96fd9bcff78217be7a57d96e7dcc8cd96646%40%3Cc-users.xerces.apache.org%3E
https://lists.apache.org/thread.html/rfeb8abe36bcca91eb603deef49fbbe46870918830a66328a780b8625%40%3Cc-users.xerces.apache.org%3E
https://lists.debian.org/debian-lts-announce/2020/12/msg00025.html
https://lists.debian.org/debian-lts-announce/2023/12/msg00027.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7A6WWL4SWKAVYK6VK5YN7KZP4MZWC7IY/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AJYZUBGPVWJ7LEHRCMB5XVADQBNGURXD/
https://marc.info/?l=xerces-c-users&m=157653840106914&w=2
https://www.debian.org/security/2020/dsa-4814
https://www.oracle.com/security-alerts/cpujan2022.html
http://www.openwall.com/lists/oss-security/2024/02/16/1
https://access.redhat.com/errata/RHSA-2020:0702
https://access.redhat.com/errata/RHSA-2020:0704
https://lists.apache.org/thread.html/r48ea463fde218b1e4cc1a1d05770a0cea34de0600b4355315a49226b%40%3Cc-dev.xerces.apache.org%3E
https://lists.apache.org/thread.html/r90ec105571622a7dc3a43b846c12732d2e563561dfb2f72941625f35%40%3Cc-users.xerces.apache.org%3E
https://lists.apache.org/thread.html/rabbcc0249de1dda70cda96fd9bcff78217be7a57d96e7dcc8cd96646%40%3Cc-users.xerces.apache.org%3E
https://lists.apache.org/thread.html/rfeb8abe36bcca91eb603deef49fbbe46870918830a66328a780b8625%40%3Cc-users.xerces.apache.org%3E
https://lists.debian.org/debian-lts-announce/2020/12/msg00025.html
https://lists.debian.org/debian-lts-announce/2023/12/msg00027.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7A6WWL4SWKAVYK6VK5YN7KZP4MZWC7IY/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AJYZUBGPVWJ7LEHRCMB5XVADQBNGURXD/
https://marc.info/?l=xerces-c-users&m=157653840106914&w=2
https://www.debian.org/security/2020/dsa-4814
https://www.oracle.com/security-alerts/cpujan2022.html