ID CVE-2015-7995
Summary The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 does not check if the parent node is an element, which allows attackers to cause a denial of service via a crafted XML file, related to a "type confusion" issue.
References
Vulnerable Configurations
  • Apple TV 9.1
    cpe:2.3:o:apple:apple_tv:9.1
  • Apple iPhone OS 9.2
    cpe:2.3:o:apple:iphone_os:9.2
  • Apple Mac OS X 10.11.2
    cpe:2.3:o:apple:mac_os_x:10.11.2
  • Apple WatchOS 2.1
    cpe:2.3:o:apple:watchos:2.1
  • XMLSoft libxslt 1.1.28
    cpe:2.3:a:xmlsoft:libxslt:1.1.28
CVSS
Base: 5.0 (as of 24-06-2016 - 18:48)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2016-001.NASL
    description The remote host is running a version of Mac OS X 10.9.5 or 10.10.5 that is missing Security Update 2016-001. It is, therefore, affected by a remote code execution vulnerability due to a type confusion flaw in the bundled libxslt component that is triggered when handling invalid values. A remote attacker can exploit this, via a specially crafted website, to cause a denial of service condition or the execution of arbitrary code.
    last seen 2019-01-16
    modified 2018-07-16
    plugin id 88048
    published 2016-01-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88048
    title Mac OS X Libxslt Function Type Confusion RCE (Security Update 2016-001)
  • NASL family Misc.
    NASL id APPLETV_7_2_1.NASL
    description According to its banner, the remote Apple TV device is a version prior to 7.2.1. It is, therefore, affected by multiple vulnerabilities in the following components : - bootp - CFPreferences - CloudKit - Code Signing - CoreMedia Playback - CoreText - DiskImages - FontParser - ImageIO - IOHIDFamily - IOKit - Kernel - Libc - Libinfo - libpthread - libxml2 - libxpc - libxslt - Location Framework - Office Viewer - QL Office - Sandbox_profiles - WebKit
    last seen 2019-01-16
    modified 2018-12-14
    plugin id 90315
    published 2016-04-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90315
    title Apple TV < 7.2.1 Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-609.NASL
    description This update for libxslt fixes the following security issues : - CVE-2017-5029: The xsltAddTextString function in transform.c lacked a check for integer overflow during a size calculation, which allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page (bsc#1035905). - CVE-2016-4738: Fix heap overread in xsltFormatNumberConversion: An empty decimal-separator could cause a heap overread. This can be exploited to leak a couple of bytes after the buffer that holds the pattern string (bsc#1005591). - CVE-2015-9019: Properly initialize random generator (bsc#934119). - CVE-2015-7995: Vulnerability in function xsltStylePreCompute' in preproc.c could cause a type confusion leading to DoS. (bsc#952474) This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-01-16
    modified 2017-05-24
    plugin id 100367
    published 2017-05-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100367
    title openSUSE Security Update : libxslt (openSUSE-2017-609)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2016-148-02.NASL
    description New libxslt packages are available for Slackware 14.0, 14.1, and -current to fix a security issue.
    last seen 2018-09-01
    modified 2016-05-31
    plugin id 91354
    published 2016-05-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91354
    title Slackware 14.0 / 14.1 / current : libxslt (SSA:2016-148-02)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3271-1.NASL
    description Holger Fuhrmannek discovered an integer overflow in the xsltAddTextString() function in Libxslt. An attacker could use this to craft a malicious document that, when opened, could cause a denial of service (application crash) or possible execute arbitrary code. (CVE-2017-5029) Nicolas Gregoire discovered that Libxslt mishandled namespace nodes. An attacker could use this to craft a malicious document that, when opened, could cause a denial of service (application crash) or possibly execute arbtrary code. This issue only affected Ubuntu 16.04 LTS, Ubuntu 14.04 LTS, and Ubuntu 12.04 LTS. (CVE-2016-1683) Sebastian Apelt discovered that a use-after-error existed in the xsltDocumentFunctionLoadDocument() function in Libxslt. An attacker could use this to craft a malicious document that, when opened, could cause a denial of service (application crash) or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS, Ubuntu 14.04 LTS, and Ubuntu 12.04 LTS. (CVE-2016-1841) It was discovered that a type confusion error existed in the xsltStylePreCompute() function in Libxslt. An attacker could use this to craft a malicious XML file that, when opened, caused a denial of service (application crash). This issue only affected Ubuntu 14.04 LTS and Ubuntu 12.04 LTS. (CVE-2015-7995) Nicolas Gregoire discovered the Libxslt mishandled the 'i' and 'a' format tokens for xsl:number data. An attacker could use this to craft a malicious document that, when opened, could cause a denial of service (application crash). This issue only affected Ubuntu 16.04 LTS, Ubuntu 14.04 LTS, and Ubuntu 12.04 LTS. (CVE-2016-1684) It was discovered that the xsltFormatNumberConversion() function in Libxslt did not properly handle empty decimal separators. An attacker could use this to craft a malicious document that, when opened, could cause a denial of service (application crash). This issue only affected Ubuntu 16.10, Ubuntu 16.04 LTS, Ubuntu 14.04 LTS, and Ubuntu 12.04 LTS. (CVE-2016-4738). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-12-01
    plugin id 99725
    published 2017-04-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99725
    title Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : libxslt vulnerabilities (USN-3271-1)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_ECC268F28FC211E5918CBCAEC565249C.NASL
    description libxslt maintainer reports : CVE-2015-7995 : http://www.openwall.com/lists/oss-security/2015/10/27/10 We need to check that the parent node is an element before dereferencing its namespace.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 87001
    published 2015-11-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87001
    title FreeBSD : libxslt -- DoS vulnerability due to type confusing error (ecc268f2-8fc2-11e5-918c-bcaec565249c)
  • NASL family Web Servers
    NASL id HPSMH_7_5_5.NASL
    description According to its banner, the version of HP System Management Homepage (SMH) hosted on the remote web server is affected by the following vulnerabilities : - A denial of service vulnerability exists in the Apache HTTP Server due to the lack of the mod_reqtimeout module. An unauthenticated, remote attacker can exploit this, via a saturation of partial HTTP requests, to cause a daemon outage. (CVE-2007-6750) - A cross-site scripting (XSS) vulnerability exists in jQuery when using location.hash to select elements. An unauthenticated, remote attacker can exploit this, via a specially crafted tag, to inject arbitrary script code or HTML into the user's browser session. (CVE-2011-4969) - A NULL pointer dereference flaw exists in file rsa_ameth.c due to improper handling of ASN.1 signatures that are missing the PSS parameter. A remote attacker can exploit this to cause the signature verification routine to crash, resulting in a denial of service condition. (CVE-2015-3194) - A flaw exists in the ASN1_TFLG_COMBINE implementation in file tasn_dec.c related to handling malformed X509_ATTRIBUTE structures. A remote attacker can exploit this to cause a memory leak by triggering a decoding failure in a PKCS#7 or CMS application, resulting in a denial of service. (CVE-2015-3195) - An out-of-bounds read error exists in cURL and libcurl within the smb_request_state() function due to improper bounds checking. An unauthenticated, remote attacker can exploit this, using a malicious SMB server and crafted length and offset values, to disclose sensitive memory information or to cause a denial of service condition. (CVE-2015-3237) - A flaw exists in libxslt in the xsltStylePreCompute() function within file preproc.c due to a failure to check if the parent node is an element. An unauthenticated, remote attacker can exploit this, via a specially crafted XML file, to cause a denial of service condition. (CVE-2015-7995) - An infinite loop condition exists in the xz_decomp() function within file xzlib.c when handling xz compressed XML content due to a failure to detect compression errors. An unauthenticated, remote attacker can exploit this, via specially crafted XML data, to cause a denial of service condition. (CVE-2015-8035) - A double-free error exists due to improper validation of user-supplied input when parsing malformed DSA private keys. A remote attacker can exploit this to corrupt memory, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2016-0705) - An out-of-bounds read error exists in the fmtstr() function within file crypto/bio/b_print.c when printing very long strings due to a failure to properly calculate string lengths. An unauthenticated, remote attacker can exploit this, via a long string, to cause a denial of service condition, as demonstrated by a large amount of ASN.1 data. (CVE-2016-0799) - An unspecified flaw exists that allows a local attacker to impact the confidentiality and integrity of the system. No other details are available. (CVE-2016-2015) - A flaw exists in the doapr_outch() function within file crypto/bio/b_print.c due to a failure to verify that a certain memory allocation succeeds. An unauthenticated, remote attacker can exploit this, via a long string, to cause a denial of service condition, as demonstrated by a large amount of ASN.1 data. (CVE-2016-2842)
    last seen 2019-01-16
    modified 2018-11-15
    plugin id 91222
    published 2016-05-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91222
    title HP System Management Homepage Multiple Vulnerabilities (HPSBMU03593)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_11_3.NASL
    description The remote host is running a version of Mac OS X that is 10.11.x prior to 10.11.3. It is, therefore, affected by multiple vulnerabilities in the following components : - AppleGraphicsPowerManagement - Disk Images - IOAcceleratorFamily - IOHIDFamily - IOKit - Kernel - libxslt - OSA Scripts - syslog Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen 2019-01-16
    modified 2018-07-14
    plugin id 88047
    published 2016-01-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88047
    title Mac OS X 10.11.x < 10.11.3 Multiple Vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-514.NASL
    description Several vulnerabilities were found in libxslt. CVE-2015-7995 A missing type check could cause an application crash via a especially crafted file. CVE-2016-1683 An out of bounds heap access bug was found in libxslt. CVE-2016-1684 There was an integer overflow bug in libxslt that could lead to an application crash. For Debian 7 'Wheezy', these problems have been fixed in version 1.1.26-14.1+deb7u1. We recommend that you upgrade your libxslt packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-07-09
    plugin id 91578
    published 2016-06-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91578
    title Debian DLA-514-1 : libxslt security update
  • NASL family Misc.
    NASL id APPLETV_9_1_1.NASL
    description According to its banner, the remote Apple TV device is a version prior to 9.1.1. It is, therefore, affected by the following vulnerabilities : - A type confusion error exists in the bundled libxslt library due to improper handling of invalid values. An attacker can exploit this to crash the application, resulting in a denial of service condition. (CVE-2015-7995) - A memory corruption issue exists due to improper validation of user-supplied input when handling disk images. A local attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-1717) - A use-after-free error exists in the IOHIDFamily API due to improper validation of user-supplied input. A local attacker can exploit this to dereference already freed memory, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2016-1719) - A memory corruption issue exists in IOKit due to improper validation of user-supplied input. A local attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-1720) - A memory corruption issue exists in the Kernel due to improper validation of user-supplied input. A local attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-1721) - An overflow condition exists in the add_lockdown_session() function due to improper validation of user-supplied input. A local attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2016-1722) - Multiple memory corruption issues exist in WebKit due to improper validation of user-supplied input. A remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-1724, CVE-2016-1727)
    last seen 2019-01-16
    modified 2018-12-14
    plugin id 88418
    published 2016-01-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88418
    title Apple TV < 9.1.1 Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1282-1.NASL
    description This update for libxslt fixes the following issues : - CVE-2017-5029: The xsltAddTextString function in transform.c lacked a check for integer overflow during a size calculation, which allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page (bsc#1035905). - CVE-2016-4738: Fix heap overread in xsltFormatNumberConversion: An empty decimal-separator could cause a heap overread. This can be exploited to leak a couple of bytes after the buffer that holds the pattern string (bsc#1005591). - CVE-2015-9019: Properly initialize random generator (bsc#934119). - CVE-2015-7995: Vulnerability in function xsltStylePreCompute' in preproc.c could cause a type confusion leading to DoS. (bsc#952474) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-11-30
    plugin id 100208
    published 2017-05-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100208
    title SUSE SLES11 Security Update : libxslt (SUSE-SU-2017:1282-1)
  • NASL family CGI abuses
    NASL id SPLUNK_6334.NASL
    description According to its version number, the instance of Splunk hosted on the remote web server is Enterprise 5.0.x prior to 5.0.15, 6.0.x prior to 6.0.11, 6.1.x prior to 6.1.10, 6.2.x prior to 6.2.9, 6.3.x prior to 6.3.3.4, Light 6.2.x prior to 6.2.9, or Light 6.3.x prior to 6.3.3.4. It is, therefore, affected by the following vulnerabilities : - A type confusion error exists in the bundled version of libxslt in the xsltStylePreCompute() function due to improper handling of invalid values. A context-dependent attacker can exploit this, via crafted XML files, to cause a denial of service condition. (CVE-2015-7995) - A key disclosure vulnerability exists in the bundled version of OpenSSL due to improper handling of cache-bank conflicts on the Intel Sandy-bridge microarchitecture. An attacker can exploit this to gain access to RSA key information. (CVE-2016-0702) - A double-free error exists in the bundled version of OpenSSL due to improper validation of user-supplied input when parsing malformed DSA private keys. A remote attacker can exploit this to corrupt memory, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2016-0705) - A NULL pointer dereference flaw exists in the bundled version of OpenSSL in the BN_hex2bn() and BN_dec2bn() functions. A remote attacker can exploit this to trigger a heap corruption, resulting in the execution of arbitrary code. (CVE-2016-0797) - A denial of service vulnerability exists in the bundled version of OpenSSL due to improper handling of invalid usernames. A remote attacker can exploit this, via a specially crafted username, to leak 300 bytes of memory per connection, exhausting available memory resources. (CVE-2016-0798) - Multiple memory corruption issues exist in the bundled version of OpenSSL that allow a remote attacker to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-0799) - A flaw exists in the bundled version of OpenSSL that allows a cross-protocol Bleichenbacher padding oracle attack known as DROWN (Decrypting RSA with Obsolete and Weakened eNcryption). This vulnerability exists due to a flaw in the Secure Sockets Layer Version 2 (SSLv2) implementation, and it allows captured TLS traffic to be decrypted. A man-in-the-middle attacker can exploit this to decrypt the TLS connection by utilizing previously captured traffic and weak cryptography along with a series of specially crafted connections to an SSLv2 server that uses the same private key. (CVE-2016-0800) - A flaw exists due to improper handling of specially crafted HTTP requests that contain specific headers. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. - A flaw exists due to improper handling of malformed HTTP requests. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. - A flaw exists that is triggered when directly accessing objects. An authenticated, remote attacker can exploit this to disclose search logs. - A flaw exists due to the failure to honor the sslVersions keyword for TLS protocol versions, preventing users from enforcing TLS policies. - A path traversal vulnerability exists in the 'collect' command due to improper sanitization of user-supplied input. An authenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary code arbitrary code with the privileges of the user running the splunkd process. - A path traversal vulnerability exists in the 'inputcsv' and 'outputcsv' commands due to improper sanitization of user-supplied input. An authenticated, remote attacker can exploit this, via a specially crafted request, to can access or overwrite file paths. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-01-16
    modified 2019-01-02
    plugin id 90705
    published 2016-04-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90705
    title Splunk Enterprise < 5.0.15 / 6.0.11 / 6.1.10 / 6.2.9 / 6.3.3.4 or Splunk Light < 6.2.9 / 6.3.3.4 Multiple Vulnerabilities (DROWN)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1313-1.NASL
    description This update for libxslt fixes the following issues : - CVE-2017-5029: The xsltAddTextString function in transform.c lacked a check for integer overflow during a size calculation, which allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page (bsc#1035905). - CVE-2016-4738: Fix heap overread in xsltFormatNumberConversion: An empty decimal-separator could cause a heap overread. This can be exploited to leak a couple of bytes after the buffer that holds the pattern string (bsc#1005591). - CVE-2015-9019: Properly initialize random generator (bsc#934119). - CVE-2015-7995: Vulnerability in function xsltStylePreCompute' in preproc.c could cause a type confusion leading to DoS. (bsc#952474) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-11-30
    plugin id 100243
    published 2017-05-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100243
    title SUSE SLED12 / SLES12 Security Update : libxslt (SUSE-SU-2017:1313-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-661.NASL
    description This update for libxslt fixes the following issues : - CVE-2015-7995: A type confusion in preprocessing attributes was fixed [boo#952474].
    last seen 2019-01-16
    modified 2016-06-01
    plugin id 91408
    published 2016-06-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91408
    title openSUSE Security Update : libxslt (openSUSE-2016-661)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3605.NASL
    description Several vulnerabilities were discovered in libxslt, an XSLT processing runtime library, which could lead to information disclosure or denial-of-service (application crash) against an application using the libxslt library.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 91693
    published 2016-06-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91693
    title Debian DSA-3605-1 : libxslt - security update
refmap via4
apple
  • APPLE-SA-2016-01-19-1
  • APPLE-SA-2016-01-19-2
  • APPLE-SA-2016-01-25-1
  • APPLE-SA-2016-03-21-2
bid 77325
confirm
debian DSA-3605
mlist
  • [oss-security] 20151027 CVE request: libxslt xsltStylePreCompute() type confusion DoS
  • [oss-security] 20151028 Re: CVE request: libxslt xsltStylePreCompute() type confusion DoS
sectrack
  • 1034736
  • 1038623
slackware SSA:2016-148-02
suse openSUSE-SU-2016:1439
Last major update 30-11-2016 - 22:01
Published 17-11-2015 - 10:59
Last modified 08-12-2017 - 21:29
Back to Top