CVE-2019-13117

Public on 2019-07-01

Modified on 2020-01-17

Description

In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.

Severity

Low

See what this means

CVSS v3 Base Score

3.3

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory
Amazon Linux 2 - Core	java-11-amazon-corretto	2020-01-14 23:07	ALAS2-2020-1387

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	3.3	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
NVD	CVSSv2	5.0	AV:N/AC:L/Au:N/C:P/I:N/A:N
NVD	CVSSv3	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

Red Hat: CVE-2019-13117 Mitre: CVE-2019-13117 FAQs regarding Amazon Linux ALAS/CVE Severity