[jira] [Comment Edited] (XERCESC-2188) Use-after-free on external DTD scan
[ https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17716851#comment-17716851 ] Ilguiz Latypov edited comment on XERCESC-2188 at 4/26/23 8:33 PM: -- Since year 2019, the NIST record of this bug included the upper boundary for the Xerces C version, 3.2.2 (probably because it was the last known version of the product). It was updated to include 3.2.3 in years 2020 (in the human-readable description) and 2022 (in the machine-readable one). https://nvd.nist.gov/vuln/detail/CVE-2018-1311#VulnChangeHistorySection Now that 3.2.4 is released, it shows as clean from the CVE despite still being vulnerable. This makes the component scan users miss the danger. Is there a way to remove the upper boundary from the CVE? I can see the change history at NIST extends to this year. Hopefully a breaking change (4.0?) can be free from the vulnerability, at which point the CVE record could add the proper upper boundary. was (Author: ilatypov): Since year 2019, the NIST record of this bug included the upper boundary for the Xerces C version, 3.2.3 (probably because it was the last known version of the product). https://nvd.nist.gov/vuln/detail/CVE-2018-1311#VulnChangeHistorySection Now that 3.2.4 is released, it shows as clean from the CVE despite still being vulnerable. This makes the component scan users miss the danger. Is there a way to remove the upper boundary from the CVE? I can see the change history at NIST extends to this year. Hopefully a breaking change (4.0?) can be free from the vulnerability, at which point the CVE record could add the proper upper boundary. > Use-after-free on external DTD scan > --- > > Key: XERCESC-2188 > URL: https://issues.apache.org/jira/browse/XERCESC-2188 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, > 3.1.4, 3.2.1, 3.2.2 >Reporter: Scott Cantor >Priority: Major > Attachments: Apache-496067-disclosure-report.pdf > > > This is a record of an unfixed bug reported in 2018 in the DTD scanner, per > the attached PDF, corresponding to CVE-2018-1311. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Commented] (XERCESC-2188) Use-after-free on external DTD scan
[ https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17716908#comment-17716908 ] Ilguiz Latypov commented on XERCESC-2188: - Perhaps NVD and scan KBs rely on this ticket's description carrying the "affected versions" field. Adding 3.2.3 and 3.2.4 to it could at least confirm the presence of the weakness for others. NVD mentions Apache as the CVE Numbering Authority for this issue. > Use-after-free on external DTD scan > --- > > Key: XERCESC-2188 > URL: https://issues.apache.org/jira/browse/XERCESC-2188 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, > 3.1.4, 3.2.1, 3.2.2 >Reporter: Scott Cantor >Priority: Major > Attachments: Apache-496067-disclosure-report.pdf > > > This is a record of an unfixed bug reported in 2018 in the DTD scanner, per > the attached PDF, corresponding to CVE-2018-1311. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Commented] (XERCESC-2188) Use-after-free on external DTD scan
[ https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17716851#comment-17716851 ] Ilguiz Latypov commented on XERCESC-2188: - Since year 2019, the NIST record of this bug included the upper boundary for the Xerces C version, 3.2.3 (probably because it was the last known version of the product). https://nvd.nist.gov/vuln/detail/CVE-2018-1311#VulnChangeHistorySection Now that 3.2.4 is released, it shows as clean from the CVE despite still being vulnerable. This makes the component scan users miss the danger. Is there a way to remove the upper boundary from the CVE? I can see the change history at NIST extends to this year. Hopefully a breaking change (4.0?) can be free from the vulnerability, at which point the CVE record could add the proper upper boundary. > Use-after-free on external DTD scan > --- > > Key: XERCESC-2188 > URL: https://issues.apache.org/jira/browse/XERCESC-2188 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, > 3.1.4, 3.2.1, 3.2.2 >Reporter: Scott Cantor >Priority: Major > Attachments: Apache-496067-disclosure-report.pdf > > > This is a record of an unfixed bug reported in 2018 in the DTD scanner, per > the attached PDF, corresponding to CVE-2018-1311. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org