{"id":"CVE-2019-13117","details":"In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.","aliases":["GHSA-4hm9-844j-jmxp"],"modified":"2026-03-11T07:50:56.009771Z","published":"2019-07-01T02:15:09.737Z","related":["MGASA-2019-0313","SUSE-SU-2019:1867-1","SUSE-SU-2020:0081-1","SUSE-SU-2020:0640-1","SUSE-SU-2020:0642-1","SUSE-SU-2020:1409-1","openSUSE-SU-2020:0731-1","openSUSE-SU-2024:11017-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IOYJKXPQCUNBMMQJWYXOR6QRUJZHEDRZ/"},{"type":"WEB"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/07/msg00020.html"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20190806-0004/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20200122-0003/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4164-1/"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpujan2020.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00062.html"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2019/11/17/2"},{"type":"REPORT","url":"https://oss-fuzz.com/testcase-detail/5631739747106816"},{"type":"REPORT","url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14471"},{"type":"FIX","url":"https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openjdk/jdk","events":[{"introduced":"0"},{"last_affected":"d5b466657e29a5338b84fa9acfc1b76bf8c39d61"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"19.10"}]}},{"type":"GIT","repo":"https://github.com/openjdk/jdk15u","events":[{"introduced":"0"},{"last_affected":"74882b0d0dbe23ee43b60ff4d5b2ede8a0ad4679"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"15.1"}]}},{"type":"GIT","repo":"https://gitlab.gnome.org/GNOME/libxslt","events":[{"introduced":"0"},{"last_affected":"f1eb717f04d9cc297cc5e58e94b81ac96f47e741"},{"fixed":"c5eb6cf3aba0af048596106ed839b4ae17ecbcb1"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.1.33"}]}}],"versions":["1.1.23","1.1.24","CVE-2015-7995","LIBXSLT_0_0_0","LIBXSLT_0_10_0","LIBXSLT_0_11_0","LIBXSLT_0_12_0","LIBXSLT_0_13_0","LIBXSLT_0_14_0","LIBXSLT_0_1_0","LIBXSLT_0_3_0","LIBXSLT_0_4_0","LIBXSLT_0_6_0","LIBXSLT_0_7_0","LIBXSLT_0_8_0","LIBXSLT_0_9_0","LIBXSLT_1_0_0","LIBXSLT_1_0_10","LIBXSLT_1_0_11","LIBXSLT_1_0_12","LIBXSLT_1_0_13","LIBXSLT_1_0_14","LIBXSLT_1_0_16","LIBXSLT_1_0_17","LIBXSLT_1_0_18","LIBXSLT_1_0_19","LIBXSLT_1_0_2","LIBXSLT_1_0_20","LIBXSLT_1_0_21","LIBXSLT_1_0_22","LIBXSLT_1_0_23","LIBXSLT_1_0_24","LIBXSLT_1_0_25","LIBXSLT_1_0_26","LIBXSLT_1_0_27","LIBXSLT_1_0_28","LIBXSLT_1_0_29","LIBXSLT_1_0_3","LIBXSLT_1_0_30","LIBXSLT_1_0_31","LIBXSLT_1_0_32","LIBXSLT_1_0_33","LIBXSLT_1_0_4","LIBXSLT_1_0_5","LIBXSLT_1_0_6","LIBXSLT_1_0_7","LIBXSLT_1_0_8","LIBXSLT_1_0_9","LIBXSLT_1_1_0","LIBXSLT_1_1_1","LIBXSLT_1_1_10","LIBXSLT_1_1_11","LIBXSLT_1_1_12","LIBXSLT_1_1_13","LIBXSLT_1_1_14","LIBXSLT_1_1_15","LIBXSLT_1_1_16","LIBXSLT_1_1_17","LIBXSLT_1_1_18","LIBXSLT_1_1_2","LIBXSLT_1_1_21","LIBXSLT_1_1_22","LIBXSLT_1_1_3","LIBXSLT_1_1_4","LIBXSLT_1_1_5","LIBXSLT_1_1_6","LIBXSLT_1_1_7","LIBXSLT_1_1_8","LIBXSLT_1_1_9","LIXSLT_0_5_0","jdk-10+0","jdk-10+1","jdk-10+10","jdk-10+11","jdk-10+12","jdk-10+13","jdk-10+14","jdk-10+15","jdk-10+16","jdk-10+17","jdk-10+18","jdk-10+19","jdk-10+2","jdk-10+20","jdk-10+21","jdk-10+22","jdk-10+23","jdk-10+24","jdk-10+25","jdk-10+26","jdk-10+27","jdk-10+28","jdk-10+29","jdk-10+3","jdk-10+30","jdk-10+31","jdk-10+32","jdk-10+33","jdk-10+34","jdk-10+35","jdk-10+36","jdk-10+37","jdk-10+38","jdk-10+39","jdk-10+4","jdk-10+40","jdk-10+41","jdk-10+42","jdk-10+43","jdk-10+44","jdk-10+45","jdk-10+46","jdk-10+5","jdk-10+6","jdk-10+7","jdk-10+8","jdk-10+9","jdk-11+0","jdk-11+1","jdk-11+10","jdk-11+11","jdk-11+12","jdk-11+13","jdk-11+14","jdk-11+15","jdk-11+16","jdk-11+17","jdk-11+18","jdk-11+19","jdk-11+2","jdk-11+20","jdk-11+21","jdk-11+22","jdk-11+23","jdk-11+24","jdk-11+25","jdk-11+26","jdk-11+27","jdk-11+28","jdk-11+3","jdk-11+4","jdk-11+5","jdk-11+6","jdk-11+7","jdk-11+8","jdk-11+9","jdk-11-ga","jdk-12+0","jdk-12+1","jdk-12+10","jdk-12+11","jdk-12+12","jdk-12+13","jdk-12+14","jdk-12+15","jdk-12+16","jdk-12+17","jdk-12+18","jdk-12+19","jdk-12+2","jdk-12+20","jdk-12+21","jdk-12+22","jdk-12+23","jdk-12+24","jdk-12+25","jdk-12+26","jdk-12+27","jdk-12+28","jdk-12+29","jdk-12+3","jdk-12+30","jdk-12+31","jdk-12+32","jdk-12+33","jdk-12+4","jdk-12+5","jdk-12+6","jdk-12+7","jdk-12+8","jdk-12+9","jdk-12-ga","jdk-13+0","jdk-13+1","jdk-13+10","jdk-13+11","jdk-13+12","jdk-13+13","jdk-13+14","jdk-13+15","jdk-13+16","jdk-13+17","jdk-13+18","jdk-13+19","jdk-13+2","jdk-13+20","jdk-13+21","jdk-13+22","jdk-13+23","jdk-13+24","jdk-13+25","jdk-13+26","jdk-13+27","jdk-13+28","jdk-13+29","jdk-13+3","jdk-13+30","jdk-13+31","jdk-13+32","jdk-13+33","jdk-13+4","jdk-13+5","jdk-13+6","jdk-13+7","jdk-13+8","jdk-13+9","jdk-13-ga","jdk-14+0","jdk-14+1","jdk-14+10","jdk-14+11","jdk-14+12","jdk-14+13","jdk-14+14","jdk-14+15","jdk-14+16","jdk-14+17","jdk-14+18","jdk-14+19","jdk-14+2","jdk-14+20","jdk-14+21","jdk-14+22","jdk-14+23","jdk-14+24","jdk-14+25","jdk-14+26","jdk-14+27","jdk-14+28","jdk-14+29","jdk-14+3","jdk-14+30","jdk-14+31","jdk-14+32","jdk-14+33","jdk-14+34","jdk-14+35","jdk-14+36","jdk-14+4","jdk-14+5","jdk-14+6","jdk-14+7","jdk-14+8","jdk-14+9","jdk-14-ga","jdk-15+0","jdk-15+1","jdk-15+10","jdk-15+11","jdk-15+12","jdk-15+13","jdk-15+14","jdk-15+15","jdk-15+16","jdk-15+17","jdk-15+18","jdk-15+19","jdk-15+2","jdk-15+20","jdk-15+21","jdk-15+22","jdk-15+23","jdk-15+24","jdk-15+25","jdk-15+26","jdk-15+27","jdk-15+28","jdk-15+29","jdk-15+3","jdk-15+30","jdk-15+31","jdk-15+32","jdk-15+33","jdk-15+34","jdk-15+35","jdk-15+36","jdk-15+4","jdk-15+5","jdk-15+6","jdk-15+7","jdk-15+8","jdk-15+9","jdk-15-ga","jdk-16+0","jdk-16+1","jdk-16+10","jdk-16+11","jdk-16+12","jdk-16+13","jdk-16+14","jdk-16+15","jdk-16+16","jdk-16+17","jdk-16+18","jdk-16+19","jdk-16+2","jdk-16+20","jdk-16+21","jdk-16+22","jdk-16+23","jdk-16+24","jdk-16+25","jdk-16+26","jdk-16+27","jdk-16+28","jdk-16+29","jdk-16+3","jdk-16+30","jdk-16+31","jdk-16+32","jdk-16+33","jdk-16+34","jdk-16+35","jdk-16+36","jdk-16+4","jdk-16+5","jdk-16+6","jdk-16+7","jdk-16+8","jdk-16+9","jdk-16-ga","jdk-17+0","jdk-17+1","jdk-17+10","jdk-17+11","jdk-17+12","jdk-17+13","jdk-17+14","jdk-17+15","jdk-17+16","jdk-17+17","jdk-17+18","jdk-17+19","jdk-17+2","jdk-17+20","jdk-17+21","jdk-17+22","jdk-17+23","jdk-17+24","jdk-17+25","jdk-17+26","jdk-17+27","jdk-17+28","jdk-17+29","jdk-17+3","jdk-17+30","jdk-17+31","jdk-17+32","jdk-17+33","jdk-17+34","jdk-17+35","jdk-17+4","jdk-17+5","jdk-17+6","jdk-17+7","jdk-17+8","jdk-17+9","jdk-17-ga","jdk-18+0","jdk-18+1","jdk-18+10","jdk-18+11","jdk-18+12","jdk-18+13","jdk-18+14","jdk-18+15","jdk-18+16","jdk-18+17","jdk-18+18","jdk-18+19","jdk-18+2","jdk-18+20","jdk-18+21","jdk-18+22","jdk-18+23","jdk-18+24","jdk-18+25","jdk-18+26","jdk-18+27","jdk-18+28","jdk-18+29","jdk-18+3","jdk-18+30","jdk-18+31","jdk-18+32","jdk-18+33","jdk-18+34","jdk-18+35","jdk-18+4","jdk-18+5","jdk-18+6","jdk-18+7","jdk-18+8","jdk-18+9","jdk-19+0","jdk-19+1","jdk-19+10","jdk-19+2","jdk-19+3","jdk-19+4","jdk-19+5","jdk-19+6","jdk-19+7","jdk-19+8","jdk-19+9","jdk-9+100","jdk-9+101","jdk-9+102","jdk-9+103","jdk-9+104","jdk-9+105","jdk-9+106","jdk-9+107","jdk-9+108","jdk-9+109","jdk-9+110","jdk-9+111","jdk-9+112","jdk-9+113","jdk-9+114","jdk-9+115","jdk-9+116","jdk-9+117","jdk-9+118","jdk-9+119","jdk-9+120","jdk-9+121","jdk-9+122","jdk-9+123","jdk-9+124","jdk-9+125","jdk-9+126","jdk-9+127","jdk-9+128","jdk-9+129","jdk-9+130","jdk-9+131","jdk-9+132","jdk-9+133","jdk-9+134","jdk-9+135","jdk-9+136","jdk-9+137","jdk-9+138","jdk-9+139","jdk-9+140","jdk-9+141","jdk-9+142","jdk-9+143","jdk-9+144","jdk-9+145","jdk-9+146","jdk-9+147","jdk-9+148","jdk-9+149","jdk-9+150","jdk-9+151","jdk-9+152","jdk-9+153","jdk-9+154","jdk-9+155","jdk-9+156","jdk-9+157","jdk-9+158","jdk-9+159","jdk-9+160","jdk-9+161","jdk-9+162","jdk-9+163","jdk-9+164","jdk-9+165","jdk-9+166","jdk-9+167","jdk-9+168","jdk-9+169","jdk-9+170","jdk-9+171","jdk-9+172","jdk-9+173","jdk-9+174","jdk-9+175","jdk-9+176","jdk-9+177","jdk-9+178","jdk-9+179","jdk-9+180","jdk-9+181","jdk-9+95","jdk-9+96","jdk-9+97","jdk-9+98","jdk-9+99","jdk7-b100","jdk7-b101","jdk7-b102","jdk7-b103","jdk7-b104","jdk7-b105","jdk7-b106","jdk7-b107","jdk7-b108","jdk7-b109","jdk7-b110","jdk7-b111","jdk7-b112","jdk7-b113","jdk7-b114","jdk7-b115","jdk7-b116","jdk7-b117","jdk7-b118","jdk7-b119","jdk7-b120","jdk7-b121","jdk7-b122","jdk7-b123","jdk7-b124","jdk7-b125","jdk7-b126","jdk7-b127","jdk7-b128","jdk7-b129","jdk7-b130","jdk7-b131","jdk7-b132","jdk7-b133","jdk7-b134","jdk7-b135","jdk7-b136","jdk7-b137","jdk7-b138","jdk7-b139","jdk7-b140","jdk7-b141","jdk7-b142","jdk7-b143","jdk7-b144","jdk7-b145","jdk7-b146","jdk7-b147","jdk7-b24","jdk7-b25","jdk7-b26","jdk7-b27","jdk7-b28","jdk7-b29","jdk7-b30","jdk7-b31","jdk7-b32","jdk7-b33","jdk7-b34","jdk7-b35","jdk7-b36","jdk7-b37","jdk7-b38","jdk7-b39","jdk7-b40","jdk7-b41","jdk7-b42","jdk7-b43","jdk7-b44","jdk7-b45","jdk7-b46","jdk7-b47","jdk7-b48","jdk7-b49","jdk7-b50","jdk7-b51","jdk7-b52","jdk7-b53","jdk7-b54","jdk7-b55","jdk7-b56","jdk7-b57","jdk7-b58","jdk7-b59","jdk7-b60","jdk7-b61","jdk7-b62","jdk7-b63","jdk7-b64","jdk7-b65","jdk7-b66","jdk7-b67","jdk7-b68","jdk7-b69","jdk7-b70","jdk7-b71","jdk7-b72","jdk7-b73","jdk7-b74","jdk7-b75","jdk7-b76","jdk7-b77","jdk7-b78","jdk7-b79","jdk7-b80","jdk7-b81","jdk7-b82","jdk7-b83","jdk7-b84","jdk7-b85","jdk7-b86","jdk7-b87","jdk7-b88","jdk7-b89","jdk7-b90","jdk7-b91","jdk7-b92","jdk7-b93","jdk7-b94","jdk7-b95","jdk7-b96","jdk7-b97","jdk7-b98","jdk7-b99","jdk8-b01","jdk8-b02","jdk8-b03","jdk8-b04","jdk8-b05","jdk8-b06","jdk8-b07","jdk8-b08","jdk8-b09","jdk8-b10","jdk8-b100","jdk8-b101","jdk8-b102","jdk8-b103","jdk8-b104","jdk8-b105","jdk8-b106","jdk8-b107","jdk8-b108","jdk8-b109","jdk8-b11","jdk8-b110","jdk8-b111","jdk8-b112","jdk8-b113","jdk8-b114","jdk8-b115","jdk8-b116","jdk8-b117","jdk8-b118","jdk8-b119","jdk8-b12","jdk8-b120","jdk8-b13","jdk8-b14","jdk8-b15","jdk8-b16","jdk8-b17","jdk8-b18","jdk8-b19","jdk8-b20","jdk8-b21","jdk8-b22","jdk8-b23","jdk8-b24","jdk8-b25","jdk8-b26","jdk8-b27","jdk8-b28","jdk8-b29","jdk8-b30","jdk8-b31","jdk8-b32","jdk8-b33","jdk8-b34","jdk8-b35","jdk8-b36","jdk8-b37","jdk8-b38","jdk8-b39","jdk8-b40","jdk8-b41","jdk8-b42","jdk8-b43","jdk8-b44","jdk8-b45","jdk8-b46","jdk8-b47","jdk8-b48","jdk8-b49","jdk8-b50","jdk8-b51","jdk8-b52","jdk8-b53","jdk8-b54","jdk8-b55","jdk8-b56","jdk8-b57","jdk8-b58","jdk8-b59","jdk8-b60","jdk8-b61","jdk8-b62","jdk8-b63","jdk8-b64","jdk8-b65","jdk8-b66","jdk8-b67","jdk8-b68","jdk8-b69","jdk8-b70","jdk8-b71","jdk8-b72","jdk8-b73","jdk8-b74","jdk8-b75","jdk8-b76","jdk8-b77","jdk8-b78","jdk8-b79","jdk8-b80","jdk8-b81","jdk8-b82","jdk8-b83","jdk8-b84","jdk8-b85","jdk8-b86","jdk8-b87","jdk8-b88","jdk8-b89","jdk8-b90","jdk8-b91","jdk8-b92","jdk8-b93","jdk8-b94","jdk8-b95","jdk8-b96","jdk8-b97","jdk8-b98","jdk8-b99","jdk9-b00","jdk9-b01","jdk9-b02","jdk9-b03","jdk9-b04","jdk9-b05","jdk9-b06","jdk9-b07","jdk9-b08","jdk9-b09","jdk9-b10","jdk9-b11","jdk9-b12","jdk9-b13","jdk9-b14","jdk9-b15","jdk9-b16","jdk9-b17","jdk9-b18","jdk9-b19","jdk9-b20","jdk9-b21","jdk9-b22","jdk9-b23","jdk9-b24","jdk9-b25","jdk9-b26","jdk9-b27","jdk9-b28","jdk9-b29","jdk9-b30","jdk9-b31","jdk9-b32","jdk9-b33","jdk9-b34","jdk9-b35","jdk9-b36","jdk9-b37","jdk9-b38","jdk9-b39","jdk9-b40","jdk9-b41","jdk9-b42","jdk9-b43","jdk9-b44","jdk9-b45","jdk9-b46","jdk9-b47","jdk9-b48","jdk9-b49","jdk9-b50","jdk9-b51","jdk9-b52","jdk9-b53","jdk9-b54","jdk9-b55","jdk9-b56","jdk9-b57","jdk9-b58","jdk9-b59","jdk9-b60","jdk9-b61","jdk9-b62","jdk9-b63","jdk9-b64","jdk9-b65","jdk9-b66","jdk9-b67","jdk9-b68","jdk9-b69","jdk9-b70","jdk9-b71","jdk9-b72","jdk9-b73","jdk9-b74","jdk9-b75","jdk9-b76","jdk9-b77","jdk9-b78","jdk9-b79","jdk9-b80","jdk9-b81","jdk9-b82","jdk9-b83","jdk9-b84","jdk9-b85","jdk9-b86","jdk9-b87","jdk9-b88","jdk9-b89","jdk9-b90","jdk9-b91","jdk9-b92","jdk9-b93","jdk9-b94","v1.1.25","v1.1.26","v1.1.27","v1.1.27-rc1","v1.1.28","v1.1.29","v1.1.29-rc1","v1.1.29-rc2","v1.1.30","v1.1.30-rc1","v1.1.30-rc2","v1.1.31","v1.1.31-rc1","v1.1.31-rc2","v1.1.32","v1.1.32-rc1","v1.1.32-rc2","v1.1.33","v1.1.33-rc1","v1.1.33-rc2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-13117.json","vanir_signatures":[{"signature_type":"Function","target":{"file":"libxslt/numbers.c","function":"xsltNumberFormatTokenize"},"source":"https://gitlab.gnome.org/GNOME/libxslt@c5eb6cf3aba0af048596106ed839b4ae17ecbcb1","deprecated":false,"id":"CVE-2019-13117-565fd9eb","signature_version":"v1","digest":{"function_hash":"149946325565218207761949792658421626761","length":1909}},{"signature_type":"Line","target":{"file":"libxslt/numbers.c"},"source":"https://gitlab.gnome.org/GNOME/libxslt@c5eb6cf3aba0af048596106ed839b4ae17ecbcb1","deprecated":false,"id":"CVE-2019-13117-a8b017df","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["43565303947768987112289376521803259580","19431884078099895786233513579532035761","49920840082758177635510753390799152839","72429694293929117164221740144272381935"]}}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.04"}]},{"events":[{"introduced":"0"},{"last_affected":"14.04"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.04"}]},{"events":[{"introduced":"0"},{"last_affected":"19.04"}]},{"events":[{"introduced":"0"},{"last_affected":"31"}]},{"events":[{"introduced":"0"},{"last_affected":"8-update231"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}