Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZtOWctanI4Yy1jcXcz

Depth counting error in guard() leading to multiple potential security issues in aioxmpp

Impact

Possible remote Denial of Service or Data Injection.

Patches

Patches are available in https://github.com/horazont/aioxmpp/pull/268. They have been backported to the 0.10 release series and 0.10.3 is the first release to contain the fix.

Workarounds

To make the bug exploitable, an error suppressing xso_error_handler is required. By not using xso_error_handlers or not using the suppression function, the vulnerability can be mitigated completely (to our knowledge).

References

The pull request contains a detailed description: https://github.com/horazont/aioxmpp/pull/268

For more information

If you have any questions or comments about this advisory:

• Join our chat
• Email the maintainer Jonas Schäfer

Permalink: https://github.com/advisories/GHSA-6m9g-jr8c-cqw3
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZtOWctanI4Yy1jcXcz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 4 years ago
Updated: 5 months ago

CVSS Score: 7.4
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

EPSS Percentage: 0.00094
EPSS Percentile: 0.40967

Identifiers: GHSA-6m9g-jr8c-cqw3, CVE-2019-1000007
References:

• https://github.com/horazont/aioxmpp/security/advisories/GHSA-6m9g-jr8c-cqw3
• https://github.com/horazont/aioxmpp/pull/268
• https://github.com/horazont/aioxmpp/commit/29ff0838a40f58efe30a4bbcea95aa8dab7da475
• https://github.com/horazont/aioxmpp/commit/f151f920f439d97d4103fc11057ed6dc34fe98be
• https://nvd.nist.gov/vuln/detail/CVE-2019-1000007
• https://github.com/advisories/GHSA-6m9g-jr8c-cqw3
• https://github.com/pypa/advisory-database/tree/main/vulns/aioxmpp/PYSEC-2019-1.yaml

Repository: https://github.com/horazont/aioxmpp
Blast Radius: 12.5

Affected Packages