[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244411

 
 

909

 
 

193363

 
 

277

Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2014-3660Date: (C)2014-11-06   (M)2024-02-22


parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the "billion laughs" attack.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V2 Severity:
CVSS Score : 5.0
Exploit Score: 10.0
Impact Score: 2.9
 
CVSS V2 Metrics:
Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality: NONE
Integrity: NONE
Availability: PARTIAL
  
Reference:
SECUNIA-59903
SECUNIA-61965
SECUNIA-61966
SECUNIA-61991
BID-70644
APPLE-SA-2015-08-13-2
APPLE-SA-2015-08-13-3
DSA-3057
MDVSA-2014:244
RHSA-2014:1655
RHSA-2014:1885
USN-2389-1
http://www.openwall.com/lists/oss-security/2014/10/17/7
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
https://bugzilla.redhat.com/attachment.cgi?id=944444&action=diff
https://bugzilla.redhat.com/show_bug.cgi?id=1149084
https://support.apple.com/kb/HT205030
https://support.apple.com/kb/HT205031
https://www.ncsc.nl/actueel/nieuwsberichten/kwetsbaarheid-ontdekt-in-libxml2.html
openSUSE-SU-2014:1330
openSUSE-SU-2015:2372

CPE    115
cpe:/a:xmlsoft:libxml2
cpe:/a:xmlsoft:libxml2:2.3.9
cpe:/a:xmlsoft:libxml2:2.7.5
cpe:/a:xmlsoft:libxml2:2.3.8
...
OVAL    20
oval:org.secpod.oval:def:204297
oval:org.secpod.oval:def:1500842
oval:org.secpod.oval:def:1600156
oval:org.secpod.oval:def:203468
...

© SecPod Technologies