CVE-2019-14493 – CVE-2019-14493 is a NULL pointer dereference vu... (How to Fix)

Q: What is the severity of CVE-2019-14493?

CVE-2019-14493 has a CVSS score of 7.5 (HIGH). CVE-2019-14493 is a NULL pointer dereference vulnerability in OpenCV's XML parser that can cause denial of service (crash) when processing malicious XML files. This affects applications using OpenCV's persistence module to parse XML data. Developers and systems using OpenCV for image processing with XML configuration or data files are impacted.

📋 TL;DR

CVE-2019-14493 is a NULL pointer dereference vulnerability in OpenCV's XML parser that can cause denial of service (crash) when processing malicious XML files. This affects applications using OpenCV's persistence module to parse XML data. Developers and systems using OpenCV for image processing with XML configuration or data files are impacted.

💻 Affected Systems

Products:

OpenCV

Versions: All versions before 4.1.1

Operating Systems: All platforms running OpenCV (Linux, Windows, macOS, etc.)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using cv::XMLParser functionality. Many OpenCV applications may not use this specific feature.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Opencv by Opencv

View all CVEs affecting Opencv →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application crash leading to denial of service, potentially disrupting critical image processing pipelines or services.

🟠

Likely Case

Application crash when processing specially crafted XML files, causing temporary service disruption.

🟢

If Mitigated

Minimal impact with proper input validation and error handling; crashes contained within isolated processes.

🌐 Internet-Facing: MEDIUM - Applications accepting XML uploads or processing external XML files could be targeted for DoS attacks.

🏢 Internal Only: LOW - Internal systems processing trusted XML files have lower exposure, but malicious insiders could still trigger crashes.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires feeding malicious XML to the vulnerable parser. Public proof-of-concept exists in GitHub issues.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: OpenCV 4.1.1 and later

Vendor Advisory: https://github.com/opencv/opencv/issues/15127

Restart Required: Yes

Instructions:

1. Update OpenCV to version 4.1.1 or later. 2. Recompile applications against the updated library. 3. Restart affected services.

🔧 Temporary Workarounds

Disable XML parsing

all

Remove or disable XML parsing functionality if not required

Recompile with XML persistence disabled or modify code to avoid cv::XMLParser usage

Input validation

all

Validate XML files before passing to OpenCV parser

Implement XML schema validation or use separate XML library for validation

🧯 If You Can't Patch

Implement strict input validation for all XML files processed by OpenCV
Run OpenCV applications in isolated containers with resource limits to contain crashes

🔍 How to Verify

Check if Vulnerable:

Check OpenCV version: if version < 4.1.1 and application uses XML parsing, it's vulnerable

Check Version:

python -c "import cv2; print(cv2.__version__)" or check build configuration

Verify Fix Applied:

Verify OpenCV version is ≥ 4.1.1 and test with known malicious XML samples

📡 Detection & Monitoring

Log Indicators:

Application crashes with segmentation faults
Error messages mentioning persistence.cpp or XMLParser

Network Indicators:

Unusual XML file uploads to image processing services
Repeated requests with XML payloads

SIEM Query:

source="application.log" AND ("segmentation fault" OR "NULL pointer" OR "persistence.cpp")

📊 Metadata

CVE ID: CVE-2019-14493

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

Published: August 1, 2019

Last Updated: November 21, 2024

🔗 References

https://github.com/opencv/opencv/compare/371bba8...ddbd10c Third Party Advisory
https://github.com/opencv/opencv/issues/15127 Exploit,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/10/msg00028.html Mailing List,Third Party Advisory
https://github.com/opencv/opencv/compare/371bba8...ddbd10c Third Party Advisory
https://github.com/opencv/opencv/issues/15127 Exploit,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/10/msg00028.html Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-14493, you might also want to check these: