Possible remote Denial of Service or Data Injection.
Patches are available in https://github.com/horazont/aioxmpp/pull/268. They have been backported to the 0.10 release series and 0.10.3 is the first release to contain the fix.
To make the bug exploitable, an error suppressing xso_error_handler
is required. By not using xso_error_handlers
or not using the suppression function, the vulnerability can be mitigated completely (to our knowledge).
The pull request contains a detailed description: https://github.com/horazont/aioxmpp/pull/268
If you have any questions or comments about this advisory:
github.com/horazont/aioxmpp
github.com/horazont/aioxmpp/commit/29ff0838a40f58efe30a4bbcea95aa8dab7da475
github.com/horazont/aioxmpp/commit/f151f920f439d97d4103fc11057ed6dc34fe98be
github.com/horazont/aioxmpp/pull/268
github.com/horazont/aioxmpp/security/advisories/GHSA-6m9g-jr8c-cqw3
nvd.nist.gov/vuln/detail/CVE-2019-1000007