{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-55549", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-11-03T20:48:48.086Z", "dateReserved": "2024-12-08T00:00:00.000Z", "datePublished": "2025-03-14T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "libxslt", "vendor": "xmlsoft", "versions": [{"lessThan": "1.1.43", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "description": "CWE-416 Use After Free", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-03-14T01:02:10.105Z"}, "references": [{"url": "https://gitlab.gnome.org/GNOME/libxslt/-/issues/127"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H"}}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:xmlsoft:libxslt:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.1.43"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-14T19:26:54.516211Z", "id": "CVE-2024-55549", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-14T19:27:01.711Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00015.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T20:48:48.086Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-55549", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-14T19:26:54.516211Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-14T19:13:50.017Z"}}], "cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H"}}], "affected": [{"vendor": "xmlsoft", "product": "libxslt", "versions": [{"status": "affected", "version": "0", "lessThan": "1.1.43", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://gitlab.gnome.org/GNOME/libxslt/-/issues/127"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "descriptions": [{"lang": "en", "value": "xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:xmlsoft:libxslt:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "1.1.43"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-03-14T01:02:10.105Z"}}}, "cveMetadata": {"cveId": "CVE-2024-55549", "state": "PUBLISHED", "dateUpdated": "2025-03-14T19:27:01.711Z", "dateReserved": "2024-12-08T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2025-03-14T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xmlsoft:libxslt:*:*:*:*:*:*:*:*", "matchCriteriaId": "CEA1BBB0-7A2D-4692-9A66-E59385990224", "versionEndExcluding": "1.1.43", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes."}, {"lang": "es", "value": "xsltGetInheritedNsList en libxslt anterior a 1.1.43 tiene un problema de uso despu\u00e9s de la liberaci\u00f3n relacionado con la exclusi\u00f3n de prefijos de resultados."}], "id": "CVE-2024-55549", "lastModified": "2025-11-03T21:17:50.197", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.4, "impactScore": 5.8, "source": "cve@mitre.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-03-14T02:15:15.333", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://gitlab.gnome.org/GNOME/libxslt/-/issues/127"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00015.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:7496", "cpe": "cpe:/o:redhat:enterprise_linux:10.0", "package": "libxslt-0:1.1.39-7.el10_0", "product_name": "Red Hat Enterprise Linux 10", "release_date": "2025-05-13T00:00:00Z"}, {"advisory": "RHSA-2025:3612", "cpe": "cpe:/o:redhat:rhel_els:7", "package": "libxslt-0:1.1.28-8.el7_9", "product_name": "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date": "2025-04-07T00:00:00Z"}, {"advisory": "RHSA-2025:4098", "cpe": "cpe:/o:redhat:rhel_els:7", "package": "libxslt-0:1.1.28-9.el7_9", "product_name": "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date": "2025-04-23T00:00:00Z"}, {"advisory": "RHSA-2025:3615", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "libxslt-0:1.1.32-6.1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-04-07T00:00:00Z"}, {"advisory": "RHSA-2025:3615", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "libxslt-0:1.1.32-6.1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-04-07T00:00:00Z"}, {"advisory": "RHSA-2025:3619", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "libxslt-0:1.1.32-6.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2025-04-07T00:00:00Z"}, {"advisory": "RHSA-2025:3626", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "libxslt-0:1.1.32-8.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2025-04-07T00:00:00Z"}, {"advisory": "RHSA-2025:3626", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "libxslt-0:1.1.32-8.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2025-04-07T00:00:00Z"}, {"advisory": "RHSA-2025:3626", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "libxslt-0:1.1.32-8.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2025-04-07T00:00:00Z"}, {"advisory": "RHSA-2025:3625", "cpe": "cpe:/a:redhat:rhel_aus:8.6", "package": "libxslt-0:1.1.32-8.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2025-04-07T00:00:00Z"}, {"advisory": "RHSA-2025:3625", "cpe": "cpe:/a:redhat:rhel_tus:8.6", "package": "libxslt-0:1.1.32-8.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2025-04-07T00:00:00Z"}, {"advisory": "RHSA-2025:3625", "cpe": "cpe:/a:redhat:rhel_e4s:8.6", "package": "libxslt-0:1.1.32-8.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2025-04-07T00:00:00Z"}, {"advisory": "RHSA-2025:3624", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "libxslt-0:1.1.32-8.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2025-04-07T00:00:00Z"}, {"advisory": "RHSA-2025:4025", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "libxslt-0:1.1.34-9.el9_5.2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-04-23T00:00:00Z"}, {"advisory": "RHSA-2025:7410", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "libxslt-0:1.1.34-13.el9_6", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-05-13T00:00:00Z"}, {"advisory": "RHSA-2025:3627", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "libxslt-0:1.1.34-11.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2025-04-07T00:00:00Z"}, {"advisory": "RHSA-2025:3614", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "libxslt-0:1.1.34-11.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2025-04-07T00:00:00Z"}, {"advisory": "RHSA-2025:3613", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "libxslt-0:1.1.34-13.el9_4", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2025-04-07T00:00:00Z"}, {"advisory": "RHSA-2025:8303", "cpe": "cpe:/a:redhat:openshift:4.12::el8", "package": "rhcos-412.86.202505281830-0", "product_name": "Red Hat OpenShift Container Platform 4.12", "release_date": "2025-06-05T00:00:00Z"}, {"advisory": "RHSA-2025:4677", "cpe": "cpe:/a:redhat:openshift:4.13::el9", "package": "rhcos-413.92.202505061702-0", "product_name": "Red Hat OpenShift Container Platform 4.13", "release_date": "2025-05-15T00:00:00Z"}, {"advisory": "RHSA-2025:7702", "cpe": "cpe:/a:redhat:openshift:4.14::el9", "package": "rhcos-414.92.202505141057-0", "product_name": "Red Hat OpenShift Container Platform 4.14", "release_date": "2025-05-21T00:00:00Z"}, {"advisory": "RHSA-2025:4422", "cpe": "cpe:/a:redhat:openshift:4.15::el9", "package": "rhcos-415.92.202504282058-0", "product_name": "Red Hat OpenShift Container Platform 4.15", "release_date": "2025-05-08T00:00:00Z"}, {"advisory": "RHSA-2025:4731", "cpe": "cpe:/a:redhat:openshift:4.16::el9", "package": "rhcos-416.94.202505051351-0", "product_name": "Red Hat OpenShift Container Platform 4.16", "release_date": "2025-05-15T00:00:00Z"}, {"advisory": "RHSA-2025:4431", "cpe": "cpe:/a:redhat:openshift:4.17::el9", "package": "rhcos-417.94.202504291434-0", "product_name": "Red Hat OpenShift Container Platform 4.17", "release_date": "2025-05-09T00:00:00Z"}, {"advisory": "RHSA-2025:4427", "cpe": "cpe:/a:redhat:openshift:4.18::el9", "package": "rhcos-418.94.202504291430-0", "product_name": "Red Hat OpenShift Container Platform 4.18", "release_date": "2025-05-09T00:00:00Z"}], "bugzilla": {"description": "libxslt: Use-After-Free in libxslt (xsltGetInheritedNsList)", "id": "2352484", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2352484"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H", "status": "verified"}, "cwe": "CWE-416", "details": ["xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes.", "A flaw was found in libxslt. This vulnerability allows an attacker to trigger a use-after-free issue by excluding result prefixes."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-55549", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "libxslt", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2025-03-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-55549\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-55549\nhttps://gitlab.gnome.org/GNOME/libxslt/-/issues/127"], "statement": "This use-after-free vulnerability in libxslt marked as Important rather than a Moderate flaw, due to its potential to enable arbitrary code execution or cause denial-of-service conditions. The vulnerability arises from mishandled memory in the exclPrefixTab table, which references freed namespace URLs during stylesheet processing. When an included stylesheet has xsl:text as the root and is deleted, the associated namespace URLs remain referenced in exclPrefixTab despite being freed, leading to a classic use-after-free condition. Since libxslt is a core XML transformation library frequently used in complex server-side applications (e.g., web frameworks, document rendering), an attacker can craft malicious XSLT stylesheets to exploit this flaw, potentially gaining remote code execution within the application's process.", "threat_severity": "Important"}

{}