Vulnerabilities > CVE-2019-20388 - Memory Leak vulnerability in multiple products

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

network

low complexity

nessus

NVD

Published: 2020-01-21

Updated: 2023-11-09

Summary

xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.

Vulnerable Configurations

Part	Description	Count
Application	Xmlsoft Xmlsoft Libxml2 2.9.10	1
Application	Netapp Netapp Cloud Backup - Netapp Steelstore Cloud Integrated Storage - Netapp Ontap Select Deploy Administration Utility - Netapp Clustered Data Ontap - Netapp SMI S Provider - Netapp Snapdrive - Netapp Plug IN FOR Symantec Netbackup -	7
Application	Oracle Oracle Peoplesoft Enterprise Peopletools 8.58 Oracle Enterprise Manager Base Platform 13.4.0.0 Oracle Enterprise Manager Base Platform 13.5.0.0 Oracle Enterprise Manager OPS Center 12.4.0.0 Oracle Real User Experience Insight 13.3.1.0 Oracle Real User Experience Insight 13.4.1.0 Oracle Real User Experience Insight 13.5.1.0 Oracle Mysql Workbench - Oracle Mysql Workbench 5.2.47 Oracle Mysql Workbench 6.0.9 Oracle Mysql Workbench 6.1.7 Oracle Mysql Workbench 6.2.5 Oracle Mysql Workbench 6.3.8 Oracle Mysql Workbench 6.3.10 Oracle Mysql Workbench 8.0.12 Oracle Mysql Workbench 8.0.13 Oracle Mysql Workbench 8.0.14 Oracle Mysql Workbench 8.0.15 Oracle Mysql Workbench 8.0.16 Oracle Mysql Workbench 8.0.17 Oracle Mysql Workbench 8.0.18 Oracle Mysql Workbench 8.0.19 Oracle Mysql Workbench 8.0.20 Oracle Mysql Workbench 8.0.21 Oracle Mysql Workbench 8.0.22 Oracle Mysql Workbench 8.0.23 Oracle Mysql Workbench 8.0.24 Oracle Mysql Workbench 8.0.25 Oracle Mysql Workbench 8.0.26 Oracle Communications Cloud Native Core Network Function Cloud Native Environment 1.10.0	30
OS	Debian Debian Debian Linux 9.0	1
OS	Netapp Netapp H300S Firmware - Netapp H500S Firmware - Netapp H700S Firmware - Netapp H300E Firmware - Netapp H500E Firmware - Netapp H700E Firmware - Netapp H410S Firmware -	7
OS	Opensuse Opensuse Leap 15.1	1
OS	Fedoraproject Fedoraproject Fedora 30 Fedoraproject Fedora 31 Fedoraproject Fedora 32	3
Hardware	Netapp Netapp H300S - Netapp H500S - Netapp H700S - Netapp H300E - Netapp H500E - Netapp H700E - Netapp H410S -	7

Common Weakness Enumeration (CWE)

CWE-401 - Improper Release of Memory Before Removing Last Reference ('Memory Leak')

Nessus

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2020-0C71C00AF4.NASL
description	Update to 2.9.10 and fix CVE-2019-19956, CVE-2019-20388 and CVE-2020-7595 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-05-06
modified	2020-04-30
plugin id	136149
published	2020-04-30
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/136149
title	Fedora 30 : libxml2 (2020-0c71c00af4)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2020-1299-1.NASL
description	This update for libxml2 fixes the following issues : CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521). CVE-2019-19956: Fixed a memory leak (bsc#1159928). CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-05-31
modified	2020-05-22
plugin id	136792
published	2020-05-22
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/136792
title	SUSE SLED15 / SLES15 Security Update : libxml2 (SUSE-SU-2020:1299-1)

NASL family	PhotonOS Local Security Checks
NASL id	PHOTONOS_PHSA-2020-2_0-0225_LIBXML2.NASL
description	An update of the libxml2 package has been released.
last seen	2020-04-14
modified	2020-04-10
plugin id	135304
published	2020-04-10
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/135304
title	Photon OS 2.0: Libxml2 PHSA-2020-2.0-0225

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2020-41FE1680F6.NASL
description	Fix CVE-2019-20388 and CVE-2020-7595 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-03-18
modified	2020-02-18
plugin id	133736
published	2020-02-18
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/133736
title	Fedora 31 : libxml2 (2020-41fe1680f6)

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2020-681.NASL
description	This update for libxml2 fixes the following issues : - CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521). - CVE-2019-19956: Fixed a memory leak (bsc#1159928). - CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517). This update was imported from the SUSE:SLE-15:Update update project.
last seen	2020-05-31
modified	2020-05-26
plugin id	136879
published	2020-05-26
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/136879
title	openSUSE Security Update : libxml2 (openSUSE-2020-681)

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2020-1408.NASL
description	According to the versions of the libxml2 packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - This library allows to manipulate XML files. It includes support to read, modify and write XML and HTML files. There is DTDs support this includes parsing and validation even with complex DtDs, either at parse time or later once the document has been modified. The output can be a simple SAX stream or and in-memory DOM like representations. In this case one can use the built-in XPath and XPointer implementation to select sub nodes or ranges. A flexible Input/Output mechanism is available, with existing HTTP and FTP modules and combined to an URI library.Security Fix(es):xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.(CVE-2019-20388)xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.(CVE-2020-7595)xmlParseBalancedChunkMemoryRec over in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs.(CVE-2019-19956) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-05-06
modified	2020-04-15
plugin id	135537
published	2020-04-15
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/135537
title	EulerOS 2.0 SP3 : libxml2 (EulerOS-SA-2020-1408)

References

CVE is a registered MITRE Corporation trademark and MITRE's CVE website is the authoritative source of CVE content. CWE is a registered MITRE Corporation trademark and MITRE's CWE website is the authoritative source of CWE content.