Описание
In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| libxml2 | not-affected | package |
Примечания
https://gitlab.gnome.org/GNOME/libxml2/-/issues/761
Introduced with: https://gitlab.gnome.org/GNOME/libxml2/-/commit/481d79d44cf8ed864ed3d74edbeb96e8cd9ed4a7 (v2.11.0)
Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1a8932303969907f6572b1b6aac4081c56adb5c6
Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/de28e6ed3a7f18d3188dd18ac5b854b21e05d33a (v2.13.3)
Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/4c2b237174539db92f4504fbc5198d2f1561baca (v2.12.9)
Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/ae8f0ac0a2900219c3d762ae0b513e199dcf19a5 (v2.11.9)
EPSS
Связанные уязвимости
In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible.
In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible.
In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible.
EPSS