How severe is CVE-2019-16941?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.8 out of 10.

What type of vulnerability is CVE-2019-16941?

This is classified as CWE-91, which is a common weakness in software security.

CVE-2019-16941 - CRITICAL Severity | CVSS 9.8

Vulnerability Description

NSA Ghidra through 9.0.4, when experimental mode is enabled, allows arbitrary code execution if the Read XML Files feature of Bit Patterns Explorer is used with a modified XML document. This occurs in Features/BytePatterns/src/main/java/ghidra/bitpatterns/info/FileBitPatternInfoReader.java. An attack could start with an XML document that was originally created by DumpFunctionPatternInfoScript but then directly modified by an attacker (for example, to make a java.lang.Runtime.exec call).

Related Vulnerabilities

CVE-2013-4857

CRITICAL

CVSS:9.8(Critical)

D-Link DIR-865L has PHP File Inclusion in the router xml file.

CWE-912013

CVE-2013-7429

CRITICAL

CVSS:9.8(Critical)

The Googlemaps plugin before 3.1 for Joomla! allows remote attackers to conduct XML injection attacks via the url parameter to plugin_googlemap2_proxy.php.

CWE-912013

CVE-2015-6970

CRITICAL

CVSS:9.8(Critical)

The web interface in Bosch Security Systems NBN-498 Dinion2X Day/Night IP Cameras with H.264 Firmware 4.54.0026 allows remote attackers to conduct XML injection attacks via the idstring parameter to r...

CWE-912015

CVE-2019-14277

CRITICAL

CVSS:9.8(Critical)

Axway SecureTransport 5.x through 5.3 (or 5.x through 5.5 with certain API configuration) is vulnerable to unauthenticated blind XML injection (and XXE) in the resetPassword functionality via the REST...

CWE-912019

CVE-2019-17626

CRITICAL

CVSS:9.8(Critical)

ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.

CWE-912019

CVE-2019-19450

CRITICAL

CVSS:9.8(Critical)

paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar c...

CWE-912019