CVE-2018-20592 - In Mini-XML (aka mxml) v2.12, there is a use-after-free in the mxmlAdd function of the mxml-node.c f

CVE-2018-20592

Summary

In Mini-XML (aka mxml) v2.12, there is a use-after-free in the mxmlAdd function of the mxml-node.c file. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted xml file, as demonstrated by mxmldoc.

References

Vulnerable Configurations

cpe:2.3:a:msweet:mini-xml:2.12:*:*:*:*:*:*:*
cpe:2.3:a:msweet:mini-xml:2.12:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*

CVSS

Base:	4.3 (as of 03-04-2019 - 13:36)
Impact:
Exploitability:

CWE

CWE-416

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
NONE	NONE	PARTIAL

cvss-vector via4

AV:N/AC:M/Au:N/C:N/I:N/A:P

refmap via4

fedora	FEDORA-2019-d333d01e08 FEDORA-2019-f99619e34d
misc	https://github.com/michaelrsweet/mxml/issues/237 https://github.com/ntu-sec/pocs/blob/master/mxml-53c75b0/crashes/uaf_mxml-node.c:128_1.txt.err https://github.com/ntu-sec/pocs/blob/master/mxml-53c75b0/crashes/uaf_mxml-node.c:128_2.txt.err

Last major update

03-04-2019 - 13:36

Published

30-12-2018 - 18:29

Last modified

03-04-2019 - 13:36