The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c, a different vulnerability than CVE-2009-2625 and CVE-2009-3720.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| libexpat_project | libexpat | 2.0.1 |
| apache | http_server | * |
The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-400,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 12.04 |
| oracle | solaris | 11.3 |
| debian | debian_linux | 6.0 |
| canonical | ubuntu_linux | 8.04 |
| redhat | enterprise_linux_server_aus | 6.2 |
| libexpat_project | libexpat | * |
| redhat | enterprise_linux_server | 5.0 |
| redhat | enterprise_linux_workstation | 6.0 |
| debian | debian_linux | 7.0 |
| redhat | enterprise_linux_server | 6.0 |
| canonical | ubuntu_linux | 10.04 |
| redhat | enterprise_linux_workstation | 5.0 |
| redhat | storage | 2.0 |
| canonical | ubuntu_linux | 11.10 |
| canonical | ubuntu_linux | 11.04 |
| redhat | enterprise_linux_eus | 6.2 |
| redhat | enterprise_linux_desktop | 5.0 |
| python | python | * |
| redhat | enterprise_linux_desktop | 6.0 |
readfilemap.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (file descriptor consumption) via a large number of crafted XML files.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| apple | mac_os_x | 10.11.0 |
| libexpat_project | libexpat | 1.95.2 |
| libexpat_project | libexpat | 1.95.5 |
| libexpat_project | libexpat | 1.95.6 |
| libexpat_project | libexpat | 1.95.7 |
| apple | mac_os_x | 10.11.1 |
| libexpat_project | libexpat | 1.95.8 |
| libexpat_project | libexpat | 2.0.0 |
| libexpat_project | libexpat | 1.95.4 |
| libexpat_project | libexpat | * |
| libexpat_project | libexpat | 1.95.1 |
Memory leak in the poolGrow function in expat/lib/xmlparse.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (memory consumption) via a large number of crafted XML files that cause improperly-handled reallocation failures when expanding entities.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| libexpat_project | libexpat | 1.95.2 |
| libexpat_project | libexpat | 1.95.5 |
| libexpat_project | libexpat | 1.95.6 |
| libexpat_project | libexpat | 1.95.7 |
| apple | mac_os_x | * |
| libexpat_project | libexpat | 1.95.8 |
| libexpat_project | libexpat | 2.0.0 |
| libexpat_project | libexpat | 1.95.4 |
| libexpat_project | libexpat | * |
| libexpat_project | libexpat | 1.95.1 |
Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-310,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 16.04 |
| android | 4.4.4 | |
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 15.10 |
| libexpat_project | libexpat | * |
| debian | debian_linux | 8.0 |
| android | 5.0.2 | |
| android | 6.0 | |
| android | 5.1.1 | |
| android | 6.0.1 |
expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-611,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| apple | macos | * |
| apple | watchos | * |
| apple | ipados | * |
| libexpat_project | libexpat | * |
| apple | iphone_os | * |
| python | python | * |
| apple | tvos | * |
Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted XML data, a related issue to CVE-2015-2716.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 12.04 |
| suse | linux_enterprise_desktop | 12 |
| chrome | * | |
| oracle | solaris | 11.3 |
| oracle | solaris | 10 |
| opensuse | leap | 42.1 |
| canonical | ubuntu_linux | 14.04 |
| opensuse | opensuse | 13.1 |
| canonical | ubuntu_linux | 15.04 |
| libexpat_project | libexpat | * |
| suse | linux_enterprise_server | 11 |
| debian | debian_linux | 8.0 |
| suse | linux_enterprise_server | 12 |
| suse | linux_enterprise_software_development_kit | 11 |
| debian | debian_linux | 7.0 |
| suse | linux_enterprise_software_development_kit | 12 |
| debian | debian_linux | 9.0 |
| opensuse | opensuse | 13.2 |
| suse | studio_onsite | 1.3 |
| python | python | * |
| suse | linux_enterprise_debuginfo | 11 |
Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 12.04 |
| suse | linux_enterprise_desktop | 12 |
| opensuse | leap | 42.1 |
| canonical | ubuntu_linux | 14.04 |
| opensuse | opensuse | 13.1 |
| libexpat_project | libexpat | * |
| suse | linux_enterprise_server | 11 |
| debian | debian_linux | 8.0 |
| suse | linux_enterprise_server | 12 |
| suse | linux_enterprise_software_development_kit | 11 |
| suse | linux_enterprise_software_development_kit | 12 |
| mozilla | firefox | * |
| canonical | ubuntu_linux | 16.04 |
| opensuse | opensuse | 13.2 |
| apple | mac_os_x | * |
| mcafee | policy_auditor | * |
| suse | studio_onsite | 1.3 |
| python | python | * |
| suse | linux_enterprise_debuginfo | 11 |
The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 12.04 |
| mcafee | policy_auditor | * |
| libexpat_project | libexpat | * |
| python | python | * |
The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 16.04 |
| android | 4.4.4 | |
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 15.10 |
| libexpat_project | libexpat | * |
| debian | debian_linux | 8.0 |
| android | 5.0.2 | |
| android | 6.0 | |
| android | 5.1.1 | |
| android | 6.0.1 |
The writeRandomBytes_RtlGenRandom function in xmlparse.c in libexpat in Expat 2.2.1 and 2.2.2 on Windows allows local users to gain privileges via a Trojan horse ADVAPI32.DLL in the current working directory because of an untrusted search path, aka DLL hijacking.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-426,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| libexpat_project | libexpat | 2.2.2 |
| libexpat_project | libexpat | 2.2.1 |
XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-611,CWE-835,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 9.0 |
| libexpat_project | libexpat | * |
| debian | debian_linux | 8.0 |
| python | python | * |
| debian | debian_linux | 10.0 |
In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-611,CWE-611,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 12.04 |
| opensuse | leap | 15.1 |
| canonical | ubuntu_linux | 14.04 |
| fedoraproject | fedora | 30 |
| oracle | http_server | 12.2.1.4.0 |
| libexpat_project | libexpat | * |
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 18.04 |
| canonical | ubuntu_linux | 19.04 |
| oracle | http_server | 12.1.3.0 |
| debian | debian_linux | 9.0 |
| canonical | ubuntu_linux | 16.04 |
| oracle | outside_in_technology | 8.5.5 |
| canonical | ubuntu_linux | 18.10 |
| oracle | outside_in_technology | 8.5.4 |
| fedoraproject | fedora | 29 |
| tenable | nessus | * |
| oracle | hospitality_res_3700 | * |
| opensuse | leap | 15.0 |
In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,CWE-776,CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| libexpat_project | libexpat | * |
| python | python | * |
In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-682,CWE-682,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| netapp | solidfire_&_hci_management_node | - |
| siemens | sinema_remote_connect_server | * |
| netapp | hci_baseboard_management_controller | h615c |
| netapp | active_iq_unified_manager | - |
| netapp | oncommand_workflow_automation | - |
| debian | debian_linux | 11.0 |
| libexpat_project | libexpat | * |
| netapp | hci_baseboard_management_controller | h610s |
| netapp | hci_baseboard_management_controller | h610c |
| tenable | nessus | * |
| debian | debian_linux | 10.0 |
In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
| cve@mitre.org | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-190,CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| netapp | solidfire_&_hci_management_node | - |
| siemens | sinema_remote_connect_server | * |
| netapp | hci_baseboard_management_controller | h615c |
| netapp | active_iq_unified_manager | - |
| netapp | oncommand_workflow_automation | - |
| libexpat_project | libexpat | * |
| netapp | hci_baseboard_management_controller | h610s |
| netapp | hci_baseboard_management_controller | h610c |
| netapp | clustered_data_ontap | - |
| tenable | nessus | * |
addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-190,CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| siemens | sinema_remote_connect_server | * |
| debian | debian_linux | 11.0 |
| libexpat_project | libexpat | * |
| tenable | nessus | * |
| debian | debian_linux | 10.0 |
build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-190,CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| siemens | sinema_remote_connect_server | * |
| debian | debian_linux | 11.0 |
| libexpat_project | libexpat | * |
| tenable | nessus | * |
| debian | debian_linux | 10.0 |
defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-190,CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| siemens | sinema_remote_connect_server | * |
| debian | debian_linux | 11.0 |
| libexpat_project | libexpat | * |
| tenable | nessus | * |
| debian | debian_linux | 10.0 |
lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-190,CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| siemens | sinema_remote_connect_server | * |
| debian | debian_linux | 11.0 |
| libexpat_project | libexpat | * |
| tenable | nessus | * |
| debian | debian_linux | 10.0 |
nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-190,CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| siemens | sinema_remote_connect_server | * |
| debian | debian_linux | 11.0 |
| libexpat_project | libexpat | * |
| tenable | nessus | * |
| debian | debian_linux | 10.0 |
storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-190,CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| siemens | sinema_remote_connect_server | * |
| debian | debian_linux | 11.0 |
| libexpat_project | libexpat | * |
| tenable | nessus | * |
| debian | debian_linux | 10.0 |
Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-190,CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| siemens | sinema_remote_connect_server | * |
| debian | debian_linux | 9.0 |
| netapp | oncommand_workflow_automation | - |
| libexpat_project | libexpat | * |
| netapp | clustered_data_ontap | - |
| tenable | nessus | * |
| oracle | communications_metasolv_solution | 6.3.1 |
Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-190,CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| siemens | sinema_remote_connect_server | * |
| fedoraproject | fedora | 35 |
| debian | debian_linux | 11.0 |
| libexpat_project | libexpat | * |
| fedoraproject | fedora | 34 |
| tenable | nessus | * |
| oracle | communications_metasolv_solution | 6.3.1 |
| debian | debian_linux | 10.0 |
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-116,CWE-116,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| siemens | sinema_remote_connect_server | * |
| fedoraproject | fedora | 35 |
| oracle | zfs_storage_appliance_kit | 8.8 |
| debian | debian_linux | 11.0 |
| oracle | http_server | 12.2.1.3.0 |
| oracle | http_server | 12.2.1.4.0 |
| libexpat_project | libexpat | * |
| fedoraproject | fedora | 34 |
| debian | debian_linux | 10.0 |
xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-668,CWE-668,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| siemens | sinema_remote_connect_server | * |
| oracle | zfs_storage_appliance_kit | 8.8 |
| debian | debian_linux | 11.0 |
| oracle | http_server | 12.2.1.3.0 |
| oracle | http_server | 12.2.1.4.0 |
| libexpat_project | libexpat | * |
| debian | debian_linux | 10.0 |
In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H | 2.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-674,CWE-674,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| siemens | sinema_remote_connect_server | * |
| fedoraproject | fedora | 35 |
| oracle | zfs_storage_appliance_kit | 8.8 |
| debian | debian_linux | 11.0 |
| oracle | http_server | 12.2.1.3.0 |
| oracle | http_server | 12.2.1.4.0 |
| libexpat_project | libexpat | * |
| fedoraproject | fedora | 34 |
| debian | debian_linux | 10.0 |
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-190,CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| siemens | sinema_remote_connect_server | * |
| fedoraproject | fedora | 35 |
| oracle | zfs_storage_appliance_kit | 8.8 |
| debian | debian_linux | 11.0 |
| oracle | http_server | 12.2.1.3.0 |
| oracle | http_server | 12.2.1.4.0 |
| libexpat_project | libexpat | * |
| fedoraproject | fedora | 34 |
| debian | debian_linux | 10.0 |
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-190,CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| siemens | sinema_remote_connect_server | * |
| fedoraproject | fedora | 35 |
| oracle | zfs_storage_appliance_kit | 8.8 |
| debian | debian_linux | 11.0 |
| oracle | http_server | 12.2.1.3.0 |
| oracle | http_server | 12.2.1.4.0 |
| libexpat_project | libexpat | * |
| fedoraproject | fedora | 34 |
| debian | debian_linux | 10.0 |
libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 37 |
| fedoraproject | fedora | 35 |
| debian | debian_linux | 11.0 |
| libexpat_project | libexpat | * |
| fedoraproject | fedora | 36 |
| debian | debian_linux | 10.0 |
In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| netapp | baseboard_management_controller_h300s_firmware | - |
| fedoraproject | fedora | 35 |
| netapp | h500s_firmware | - |
| netapp | oncommand_workflow_automation | - |
| netapp | h410s_firmware | - |
| libexpat_project | libexpat | * |
| netapp | baseboard_management_controller_h410s_firmware | - |
| netapp | h700s_firmware | - |
| netapp | h410c_firmware | - |
| debian | debian_linux | 10.0 |
| netapp | solidfire_&_hci_management_node | - |
| fedoraproject | fedora | 37 |
| netapp | active_iq_unified_manager | - |
| debian | debian_linux | 11.0 |
| netapp | h300s_firmware | - |
| netapp | baseboard_management_controller_h700s_firmware | - |
| netapp | hci_compute_node_firmware | - |
| netapp | baseboard_management_controller_h410c_firmware | - |
| fedoraproject | fedora | 36 |
| netapp | baseboard_management_controller_h500s_firmware | - |
libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| libexpat_project | libexpat | * |
libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 1.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| libexpat_project | libexpat | * |
libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 39 |
| netapp | h500s_firmware | - |
| netapp | windows_host_utilities | - |
| netapp | oncommand_workflow_automation | - |
| fedoraproject | fedora | 40 |
| netapp | h610s_firmware | - |
| netapp | h410s_firmware | - |
| libexpat_project | libexpat | * |
| netapp | h700s_firmware | - |
| netapp | h410c_firmware | - |
| fedoraproject | fedora | 38 |
| netapp | h610c_firmware | - |
| netapp | active_iq_unified_manager | - |
| netapp | h300s_firmware | - |
| netapp | ontap_tools | 10 |
| netapp | ontap | 9 |
An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| libexpat_project | libexpat | * |
An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).
Products Affected
| Vendor | Product | Version |
|---|---|---|
| libexpat_project | libexpat | * |
An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).
Products Affected
| Vendor | Product | Version |
|---|---|---|
| libexpat_project | libexpat | * |
An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| netapp | solidfire_&_hci_storage_node | - |
| netapp | h500s_firmware | - |
| netapp | windows_host_utilities | - |
| netapp | h410s_firmware | - |
| libexpat_project | libexpat | * |
| netapp | h700s_firmware | - |
| netapp | h410c_firmware | - |
| netapp | hci_compute_node | - |
| netapp | solidfire_&_hci_management_node | - |
| netapp | active_iq_unified_manager | - |
| debian | debian_linux | 11.0 |
| netapp | h300s_firmware | - |
libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| cve@mitre.org | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| libexpat_project | libexpat | * |
In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| cve@mitre.org | 2.9 | LOW | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L | 1.4 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| libexpat_project | libexpat | * |
In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| cve@mitre.org | 2.9 | LOW | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L | 1.4 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| libexpat_project | libexpat | * |
In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| cve@mitre.org | 6.9 | MEDIUM | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L | 1.4 | 5.5 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| libexpat_project | libexpat | * |
libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 1.8 | 3.6 |
| cve@mitre.org | 4.0 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | 2.5 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| libexpat_project | libexpat | * |
libexpat before 2.7.5 allows an infinite loop while parsing DTD content.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| cve@mitre.org | 4.0 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | 2.5 | 1.4 |
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 1.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| libexpat_project | libexpat | * |
libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| cve@mitre.org | 2.9 | LOW | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L | 1.4 | 1.4 |
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 1.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| libexpat_project | libexpat | * |
libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
| cve@mitre.org | 2.9 | LOW | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L | 1.4 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| libexpat_project | libexpat | * |