CVE-2015-9019
Publication date 5 April 2017
Last updated 24 July 2024
Ubuntu priority
Cvss 3 Severity Score
In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs.
Status
Package | Ubuntu Release | Status |
---|---|---|
libxslt | ||
22.04 LTS jammy | Ignored see notes | |
20.04 LTS focal | Ignored see notes | |
18.04 LTS bionic | Ignored see notes | |
16.04 LTS xenial | Ignored see notes | |
14.04 LTS trusty | Ignored end of ESM support, was ignored [see notes] | |
Notes
sbeattie
upstream fixed this for xsltproc, but libxslt remains unfixed not clear what the security impact of this is
mdeslaur
as of 2022-08-05, no indication that upstream will fix this
ccdm94
there is no upstream patch provided for this issue. The random function in libxslt does not guarantee it will adhere to all cryptographic requirements, and applications using libxslt are expected to be the ones performing the seeding of the system's PRNG in order to achieve proper randomness. For this reason, status for all releases will be set to ignored.
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.3 · Medium |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | Low |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |