{ "threat_severity" : "Low", "public_date" : "2019-09-04T00:00:00Z", "bugzilla" : { "description" : "expat: heap-based buffer over-read via crafted XML input", "id" : "1752592", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1752592" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "(CWE-122|CWE-125)", "details" : [ "In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read." ], "affected_release" : [ { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2020-06-22T00:00:00Z", "advisory" : "RHSA-2020:2644", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-curl-0:7.64.1-36.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2020-06-22T00:00:00Z", "advisory" : "RHSA-2020:2644", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-httpd-0:2.4.37-57.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2020-06-22T00:00:00Z", "advisory" : "RHSA-2020:2644", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-mod_cluster-native-0:1.3.14-4.Final_redhat_2.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2020-06-22T00:00:00Z", "advisory" : "RHSA-2020:2644", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-mod_http2-0:1.15.7-3.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2020-06-22T00:00:00Z", "advisory" : "RHSA-2020:2644", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-mod_jk-0:1.2.48-4.redhat_1.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2020-06-22T00:00:00Z", "advisory" : "RHSA-2020:2644", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-mod_md-1:2.0.8-24.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2020-06-22T00:00:00Z", "advisory" : "RHSA-2020:2644", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-mod_security-0:2.9.2-51.GA.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2020-06-22T00:00:00Z", "advisory" : "RHSA-2020:2644", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-nghttp2-0:1.39.2-25.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2020-06-22T00:00:00Z", "advisory" : "RHSA-2020:2644", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-curl-0:7.64.1-36.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2020-06-22T00:00:00Z", "advisory" : "RHSA-2020:2644", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-httpd-0:2.4.37-57.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2020-06-22T00:00:00Z", "advisory" : "RHSA-2020:2644", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_cluster-native-0:1.3.14-4.Final_redhat_2.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2020-06-22T00:00:00Z", "advisory" : "RHSA-2020:2644", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_http2-0:1.15.7-3.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2020-06-22T00:00:00Z", "advisory" : "RHSA-2020:2644", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_jk-0:1.2.48-4.redhat_1.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2020-06-22T00:00:00Z", "advisory" : "RHSA-2020:2644", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_md-1:2.0.8-24.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2020-06-22T00:00:00Z", "advisory" : "RHSA-2020:2644", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_security-0:2.9.2-51.GA.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2020-06-22T00:00:00Z", "advisory" : "RHSA-2020:2644", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-nghttp2-0:1.39.2-25.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2020-06-22T00:00:00Z", "advisory" : "RHSA-2020:2644", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-openssl-pkcs11-0:0.4.10-7.jbcs.el7" }, { "product_name" : "Red Hat Enterprise Linux 6", "release_date" : "2019-11-06T00:00:00Z", "advisory" : "RHSA-2019:3756", "cpe" : "cpe:/o:redhat:enterprise_linux:6", "package" : "thunderbird-0:68.2.0-2.el6_10" }, { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2019-10-24T00:00:00Z", "advisory" : "RHSA-2019:3193", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "firefox-0:68.2.0-1.el7_7" }, { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2019-10-29T00:00:00Z", "advisory" : "RHSA-2019:3210", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "thunderbird-0:68.2.0-1.el7_7" }, { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2020-09-29T00:00:00Z", "advisory" : "RHSA-2020:3952", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "expat-0:2.1.0-12.el7" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2019-10-24T00:00:00Z", "advisory" : "RHSA-2019:3196", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "firefox-0:68.2.0-2.el8_0" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2019-10-29T00:00:00Z", "advisory" : "RHSA-2019:3237", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "thunderbird-0:68.2.0-1.el8_0" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2020-11-04T00:00:00Z", "advisory" : "RHSA-2020:4484", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "expat-0:2.2.5-4.el8" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date" : "2025-12-09T00:00:00Z", "advisory" : "RHSA-2025:22871", "cpe" : "cpe:/o:redhat:rhel_aus:8.2", "package" : "expat-0:2.2.10-1.el8_2" }, { "product_name" : "Red Hat OpenShift Do", "release_date" : "2021-03-22T00:00:00Z", "advisory" : "RHSA-2021:0949", "cpe" : "cpe:/a:redhat:openshift_do:1.0::el7", "package" : "openshiftdo/odo-init-image-rhel7:1.1.3-2" }, { "product_name" : "Text-Only JBCS", "release_date" : "2020-06-22T00:00:00Z", "advisory" : "RHSA-2020:2646", "cpe" : "cpe:/a:redhat:jboss_core_services:1", "package" : "expat" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Out of support scope", "package_name" : "expat", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Out of support scope", "package_name" : "firefox", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Out of support scope", "package_name" : "thunderbird", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Out of support scope", "package_name" : "xmlrpc-c", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Not affected", "package_name" : "xulrunner", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "compat-expat1", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "expat", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "firefox", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "xulrunner", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "python", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "xulrunner", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "mingw-expat", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "python2", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "python3", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "httpd", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2", "fix_state" : "Out of support scope", "package_name" : "httpd", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-15903\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-15903" ], "name" : "CVE-2019-15903", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }