ROSA LABROSA-SA-2021-1906Advisory ROSA-SA-2021-1906
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.1 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.048 Low
EPSS
Percentile
92.6%
Software: libxslt 1.1.28
OS: Cobalt 7.9
CVE-ID: CVE-2015-7995
CVE-Crit: MEDIUM
CVE-DESC: The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 does not check if the parent node is an element, allowing attackers to cause a denial of service via a generated XML file related to the “type confusion” issue. .
CVE-STATUS: default
CVE-REV: default
CVE-ID: CVE-2015-9019
CVE-Crit: medium.
CVE-DESC: In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random starting number at run time, which could lead to this function being used to produce predictable results.
CVE-STATUS: default
CVE-REV: default
CVE-ID: CVE-2016-1683
CVE-Crit: HIGH
CVE-DESC: numbers.c in libxslt before 1.1.29, used in Google Chrome before 51.0.2704.63, does not properly handle namespace nodes, allowing remote attackers to cause a denial of service (access heap memory outside of bounds) or possibly have unspecified other impact via a crafted document.
CVE-STATUS: default
CVE-REV: default
CVE-ID: CVE-2016-1684
CVE-Crit: HIGH
CVE-DESC: numbers.c in libxslt before 1.1.29, which was used in Google Chrome before 51.0.2704.63, incorrectly handles the i format token for xsl: number data, allowing remote attackers to cause a denial of service (integer overflow or resource consumption) or possibly have an unspecified other impact via the generated document.
CVE-STATUS: default
CVE-REV: default
CVE-ID: CVE-2016-4607
CVE-Crit: CRITICAL
CVE-DESC: libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 in Windows, iCloud before 5.2.1 in Windows, tvOS before 9.2.2 and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, a vulnerability distinct from CVE-2016-4608, CVE-2016-4609, CVE-2016-4610 and CVE-2016-4612.
CVE-STATUS: default
CVE-REV: default
CVE-ID: CVE-2016-4609
CVE-Crit: CRITICAL
CVE-DESC: libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 in Windows, iCloud before 5.2.1 in Windows, tvOS before 9.2.2 and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors - a vulnerability distinct from CVE-2016-4607, CVE-2016-4608, CVE-2016-4610 and CVE-2016-4612.
CVE-STATUS: default
CVE-REV: default
CVE-ID: CVE-2019-5815
CVE-Crit: HIGH
CVE-DESC: Confusion in xsltNumberFormatGetMultipleLevel types prior to libxslt 1.1.33 could allow attackers to potentially exploit heap corruption using crafted XML data.
CVE-STATUS: default
CVE-REV: default
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.1 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.048 Low
EPSS
Percentile
92.6%