{"id":"CVE-2019-13117","details":"In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.","aliases":["GHSA-4hm9-844j-jmxp"],"modified":"2026-04-16T04:40:26.721855542Z","published":"2019-07-01T02:15:09.737Z","related":["SUSE-SU-2019:1867-1","SUSE-SU-2020:0081-1","SUSE-SU-2020:0640-1","SUSE-SU-2020:0642-1","SUSE-SU-2020:1409-1","openSUSE-SU-2020:0731-1","openSUSE-SU-2024:11017-1"],"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IOYJKXPQCUNBMMQJWYXOR6QRUJZHEDRZ/"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2019/11/17/2"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20190806-0004/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20200122-0003/"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpujan2020.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00062.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/07/msg00020.html"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4164-1/"},{"type":"REPORT","url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14471"},{"type":"REPORT","url":"https://oss-fuzz.com/testcase-detail/5631739747106816"},{"type":"FIX","url":"https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openjdk/jdk","events":[{"introduced":"0"},{"last_affected":"d5b466657e29a5338b84fa9acfc1b76bf8c39d61"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"19.10"}]}},{"type":"GIT","repo":"https://github.com/openjdk/jdk15u","events":[{"introduced":"0"},{"last_affected":"74882b0d0dbe23ee43b60ff4d5b2ede8a0ad4679"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"15.1"}]}},{"type":"GIT","repo":"https://gitlab.gnome.org/GNOME/libxslt","events":[{"introduced":"0"},{"last_affected":"f1eb717f04d9cc297cc5e58e94b81ac96f47e741"},{"fixed":"c5eb6cf3aba0af048596106ed839b4ae17ecbcb1"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.1.33"}]}}],"versions":["1.1.23","1.1.24","CVE-2015-7995","LIBXSLT_0_0_0","LIBXSLT_0_10_0","LIBXSLT_0_11_0","LIBXSLT_0_12_0","LIBXSLT_0_13_0","LIBXSLT_0_14_0","LIBXSLT_0_1_0","LIBXSLT_0_3_0","LIBXSLT_0_4_0","LIBXSLT_0_6_0","LIBXSLT_0_7_0","LIBXSLT_0_8_0","LIBXSLT_0_9_0","LIBXSLT_1_0_0","LIBXSLT_1_0_10","LIBXSLT_1_0_11","LIBXSLT_1_0_12","LIBXSLT_1_0_13","LIBXSLT_1_0_14","LIBXSLT_1_0_16","LIBXSLT_1_0_17","LIBXSLT_1_0_18","LIBXSLT_1_0_19","LIBXSLT_1_0_2","LIBXSLT_1_0_20","LIBXSLT_1_0_21","LIBXSLT_1_0_22","LIBXSLT_1_0_23","LIBXSLT_1_0_24","LIBXSLT_1_0_25","LIBXSLT_1_0_26","LIBXSLT_1_0_27","LIBXSLT_1_0_28","LIBXSLT_1_0_29","LIBXSLT_1_0_3","LIBXSLT_1_0_30","LIBXSLT_1_0_31","LIBXSLT_1_0_32","LIBXSLT_1_0_33","LIBXSLT_1_0_4","LIBXSLT_1_0_5","LIBXSLT_1_0_6","LIBXSLT_1_0_7","LIBXSLT_1_0_8","LIBXSLT_1_0_9","LIBXSLT_1_1_0","LIBXSLT_1_1_1","LIBXSLT_1_1_10","LIBXSLT_1_1_11","LIBXSLT_1_1_12","LIBXSLT_1_1_13","LIBXSLT_1_1_14","LIBXSLT_1_1_15","LIBXSLT_1_1_16","LIBXSLT_1_1_17","LIBXSLT_1_1_18","LIBXSLT_1_1_2","LIBXSLT_1_1_21","LIBXSLT_1_1_22","LIBXSLT_1_1_3","LIBXSLT_1_1_4","LIBXSLT_1_1_5","LIBXSLT_1_1_6","LIBXSLT_1_1_7","LIBXSLT_1_1_8","LIBXSLT_1_1_9","LIXSLT_0_5_0","jdk-10+20","jdk-10+21","jdk-10+22","jdk-10+23","jdk-10+24","jdk-12+0","jdk-15+0","jdk-15+1","jdk-15+2","jdk-15+3","jdk-15+4","jdk-15+6","jdk-16+14","jdk-16+15","jdk-16+16","jdk-16+17","jdk-16+18","jdk-16+19","jdk-16+20","jdk-16+21","jdk-16+22","jdk-16+23","jdk-16+24","jdk-16+25","jdk-16+26","jdk-16+27","jdk-16+28","jdk-17+0","jdk-17+1","jdk-17+10","jdk-17+11","jdk-17+12","jdk-17+13","jdk-17+14","jdk-17+15","jdk-17+16","jdk-17+17","jdk-17+18","jdk-17+19","jdk-17+2","jdk-17+20","jdk-17+21","jdk-17+22","jdk-17+23","jdk-17+24","jdk-17+25","jdk-17+26","jdk-17+3","jdk-17+4","jdk-17+5","jdk-17+6","jdk-17+7","jdk-17+8","jdk-17+9","jdk-18+0","jdk-18+1","jdk-18+10","jdk-18+11","jdk-18+12","jdk-18+13","jdk-18+14","jdk-18+15","jdk-18+16","jdk-18+17","jdk-18+18","jdk-18+19","jdk-18+2","jdk-18+20","jdk-18+21","jdk-18+22","jdk-18+23","jdk-18+24","jdk-18+25","jdk-18+26","jdk-18+27","jdk-18+3","jdk-18+4","jdk-18+5","jdk-18+6","jdk-18+7","jdk-18+8","jdk-18+9","jdk-19+0","jdk-19+1","jdk-19+10","jdk-19+2","jdk-19+3","jdk-19+4","jdk-19+5","jdk-19+6","jdk-19+7","jdk-19+8","jdk-19+9","jdk-9+100","jdk-9+101","jdk-9+102","jdk-9+103","jdk-9+104","jdk-9+105","jdk-9+106","jdk-9+107","jdk-9+108","jdk-9+109","jdk-9+110","jdk-9+111","jdk-9+112","jdk-9+113","jdk-9+114","jdk-9+115","jdk-9+116","jdk-9+117","jdk-9+118","jdk-9+119","jdk-9+120","jdk-9+121","jdk-9+122","jdk-9+123","jdk-9+124","jdk-9+127","jdk-9+128","jdk-9+129","jdk-9+130","jdk-9+131","jdk-9+132","jdk-9+133","jdk-9+134","jdk-9+135","jdk-9+136","jdk-9+137","jdk-9+138","jdk-9+139","jdk-9+140","jdk-9+141","jdk-9+142","jdk-9+143","jdk-9+144","jdk-9+145","jdk-9+146","jdk-9+147","jdk-9+148","jdk-9+149","jdk-9+150","jdk-9+151","jdk-9+152","jdk-9+153","jdk-9+154","jdk-9+155","jdk-9+156","jdk-9+95","jdk-9+96","jdk-9+97","jdk-9+98","jdk-9+99","jdk7-b100","jdk7-b101","jdk7-b102","jdk7-b103","jdk7-b104","jdk7-b105","jdk7-b106","jdk7-b107","jdk7-b108","jdk7-b120","jdk7-b121","jdk7-b122","jdk7-b123","jdk7-b124","jdk7-b125","jdk7-b126","jdk7-b127","jdk7-b128","jdk7-b129","jdk7-b130","jdk7-b131","jdk7-b132","jdk7-b133","jdk7-b134","jdk7-b135","jdk7-b136","jdk7-b137","jdk7-b138","jdk7-b139","jdk7-b140","jdk7-b141","jdk7-b143","jdk7-b24","jdk7-b25","jdk7-b26","jdk7-b27","jdk7-b28","jdk7-b31","jdk7-b32","jdk7-b33","jdk7-b34","jdk7-b35","jdk7-b36","jdk7-b38","jdk7-b39","jdk7-b40","jdk7-b41","jdk7-b44","jdk7-b45","jdk7-b46","jdk7-b48","jdk7-b49","jdk7-b50","jdk7-b51","jdk7-b53","jdk7-b54","jdk7-b55","jdk7-b56","jdk7-b60","jdk7-b61","jdk7-b62","jdk7-b63","jdk7-b64","jdk7-b65","jdk7-b66","jdk7-b68","jdk7-b70","jdk7-b71","jdk7-b72","jdk7-b73","jdk7-b74","jdk7-b75","jdk7-b76","jdk7-b77","jdk7-b78","jdk7-b79","jdk7-b80","jdk7-b81","jdk7-b82","jdk7-b83","jdk7-b84","jdk7-b85","jdk7-b86","jdk7-b87","jdk7-b88","jdk7-b89","jdk7-b90","jdk7-b91","jdk7-b92","jdk7-b93","jdk7-b94","jdk7-b95","jdk7-b96","jdk7-b97","jdk7-b98","jdk7-b99","jdk8-b01","jdk8-b119","jdk8-b120","jdk8-b15","jdk8-b16","jdk8-b18","jdk8-b19","jdk8-b20","jdk8-b21","jdk8-b22","jdk8-b23","jdk8-b24","jdk8-b25","jdk8-b26","jdk8-b27","jdk8-b28","jdk8-b29","jdk8-b30","jdk8-b31","jdk8-b32","jdk8-b33","jdk8-b34","jdk8-b35","jdk8-b36","jdk8-b37","jdk8-b38","jdk8-b39","jdk8-b40","jdk8-b41","jdk8-b42","jdk8-b43","jdk8-b44","jdk8-b45","jdk8-b46","jdk8-b49","jdk8-b50","jdk8-b52","jdk8-b53","jdk8-b54","jdk8-b55","jdk9-b00","jdk9-b01","jdk9-b04","jdk9-b05","jdk9-b06","jdk9-b07","jdk9-b08","jdk9-b10","jdk9-b11","jdk9-b12","jdk9-b13","jdk9-b14","jdk9-b15","jdk9-b16","jdk9-b17","jdk9-b18","jdk9-b19","jdk9-b20","jdk9-b21","jdk9-b23","jdk9-b24","jdk9-b25","jdk9-b26","jdk9-b27","jdk9-b30","jdk9-b31","jdk9-b32","jdk9-b33","jdk9-b34","jdk9-b35","jdk9-b36","jdk9-b37","jdk9-b38","jdk9-b39","jdk9-b40","jdk9-b41","jdk9-b42","jdk9-b43","jdk9-b44","jdk9-b45","jdk9-b46","jdk9-b47","jdk9-b48","jdk9-b49","jdk9-b50","jdk9-b51","jdk9-b52","jdk9-b53","jdk9-b54","jdk9-b55","jdk9-b56","jdk9-b57","jdk9-b58","jdk9-b59","jdk9-b60","jdk9-b61","jdk9-b62","jdk9-b63","jdk9-b64","jdk9-b65","jdk9-b66","jdk9-b67","jdk9-b68","jdk9-b69","jdk9-b70","jdk9-b71","jdk9-b72","jdk9-b73","jdk9-b74","jdk9-b75","jdk9-b76","jdk9-b77","jdk9-b78","jdk9-b79","jdk9-b80","jdk9-b81","jdk9-b82","jdk9-b83","jdk9-b84","jdk9-b85","jdk9-b86","jdk9-b87","jdk9-b88","jdk9-b89","jdk9-b90","jdk9-b91","jdk9-b92","jdk9-b94","v1.1.25","v1.1.26","v1.1.27","v1.1.27-rc1","v1.1.28","v1.1.29","v1.1.29-rc1","v1.1.29-rc2","v1.1.30","v1.1.30-rc1","v1.1.30-rc2","v1.1.31","v1.1.31-rc1","v1.1.31-rc2","v1.1.32","v1.1.32-rc1","v1.1.32-rc2","v1.1.33","v1.1.33-rc1","v1.1.33-rc2"],"database_specific":{"vanir_signatures":[{"signature_version":"v1","signature_type":"Function","digest":{"length":1909,"function_hash":"149946325565218207761949792658421626761"},"id":"CVE-2019-13117-565fd9eb","deprecated":false,"target":{"function":"xsltNumberFormatTokenize","file":"libxslt/numbers.c"},"source":"https://gitlab.gnome.org/GNOME/libxslt@c5eb6cf3aba0af048596106ed839b4ae17ecbcb1"},{"source":"https://gitlab.gnome.org/GNOME/libxslt@c5eb6cf3aba0af048596106ed839b4ae17ecbcb1","target":{"file":"libxslt/numbers.c"},"digest":{"threshold":0.9,"line_hashes":["43565303947768987112289376521803259580","19431884078099895786233513579532035761","49920840082758177635510753390799152839","72429694293929117164221740144272381935"]},"signature_version":"v1","deprecated":false,"signature_type":"Line","id":"CVE-2019-13117-a8b017df"}],"vanir_signatures_modified":"2026-04-11T12:42:18Z","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.04"}]},{"events":[{"introduced":"0"},{"last_affected":"14.04"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.04"}]},{"events":[{"introduced":"0"},{"last_affected":"19.04"}]},{"events":[{"introduced":"0"},{"last_affected":"31"}]},{"events":[{"introduced":"0"},{"last_affected":"8-update231"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-13117.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}