Skip to content
This repository has been archived by the owner on Jan 14, 2024. It is now read-only.

Depth counting error in guard() leading to multiple potential security issues

Low
horazont published GHSA-6m9g-jr8c-cqw3 May 23, 2019 · 1 comment

Package

aioxmpp (PyPI)

Affected versions

< 0.10.3

Patched versions

0.10.3, 0.11.0

Description

Impact

Possible remote Denial of Service or Data Injection.

Patches

Patches are available in #268. They have been backported to the 0.10 release series and 0.10.3 is the first release to contain the fix.

Workarounds

To make the bug exploitable, an error suppressing xso_error_handler is required. By not using xso_error_handlers or not using the suppression function, the vulnerability can be mitigated completely (to our knowledge).

References

The pull request contains a detailed description: #268

For more information

If you have any questions or comments about this advisory:

Severity

Low

CVE ID

CVE-2019-1000007

Weaknesses

No CWEs