CVE-2018-1311

Name
CVE-2018-1311
Description
The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the maintained version of the library and has no current mitigation other than to disable DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.
NVD Severity
unknown
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Mailing List https://marc.info/?l=xerces-c-users&m=157653840106914&w=2
Mitigation https://lists.apache.org/thread.html/r48ea463fde218b1e4cc1a1d05770a0cea34de0600b4355315a49226b@%3Cc-dev.xerces.apache.org%3E
REDHAT https://access.redhat.com/errata/RHSA-2020:0704
REDHAT https://access.redhat.com/errata/RHSA-2020:0702
MLIST https://lists.debian.org/debian-lts-announce/2020/12/msg00025.html
DEBIAN https://www.debian.org/security/2020/dsa-4814
MLIST https://lists.apache.org/thread.html/rabbcc0249de1dda70cda96fd9bcff78217be7a57d96e7dcc8cd96646@%3Cc-users.xerces.apache.org%3E
MLIST https://lists.apache.org/thread.html/rfeb8abe36bcca91eb603deef49fbbe46870918830a66328a780b8625@%3Cc-users.xerces.apache.org%3E
MLIST https://lists.apache.org/thread.html/r90ec105571622a7dc3a43b846c12732d2e563561dfb2f72941625f35@%3Cc-users.xerces.apache.org%3E
security@apache.org https://lists.apache.org/thread.html/r48ea463fde218b1e4cc1a1d05770a0cea34de0600b4355315a49226b%40%3Cc-dev.xerces.apache.org%3E
security@apache.org https://lists.apache.org/thread.html/r90ec105571622a7dc3a43b846c12732d2e563561dfb2f72941625f35%40%3Cc-users.xerces.apache.org%3E
security@apache.org https://lists.apache.org/thread.html/rabbcc0249de1dda70cda96fd9bcff78217be7a57d96e7dcc8cd96646%40%3Cc-users.xerces.apache.org%3E
security@apache.org https://lists.apache.org/thread.html/rfeb8abe36bcca91eb603deef49fbbe46870918830a66328a780b8625%40%3Cc-users.xerces.apache.org%3E
security@apache.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7A6WWL4SWKAVYK6VK5YN7KZP4MZWC7IY/
Patch https://www.oracle.com/security-alerts/cpujan2022.html
security@apache.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AJYZUBGPVWJ7LEHRCMB5XVADQBNGURXD/
security@apache.org https://lists.debian.org/debian-lts-announce/2023/12/msg00027.html
security@apache.org http://www.openwall.com/lists/oss-security/2024/02/16/1

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:apache:xerces-c:*:*:*:*:*:*:*:* xerces-c >= 3.0.0 <= 3.2.2
cpe:2.3:a:apache:xerces-c\+\+:*:*:*:*:*:*:*:* xerces-c\+\+ >= 3.0.0 <= 3.2.3

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
xerces-c edge-community 3.2.5-r0 Andrew Bell <andrew.bell.ia@gmail.com> fixed
xerces-c 3.19-community 3.2.5-r0 Andrew Bell <andrew.bell.ia@gmail.com> fixed
xerces-c 3.20-community 3.2.5-r0 Andrew Bell <andrew.bell.ia@gmail.com> fixed