CVE-2024-28757

Опубликовано: 10 мар. 2024

Источник: nvd

CVSS3: 7.5

EPSS Низкий

Описание

libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).

Ссылки

http://www.openwall.com/lists/oss-security/2024/03/15/1
Mailing List
Patch
Release Notes
https://github.com/libexpat/libexpat/issues/839
Exploit
Issue Tracking
Patch
https://github.com/libexpat/libexpat/pull/842
Issue Tracking
Patch
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPLC6WDSRDUYS7F7JWAOVOHFNOUQ43DD/
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKJ7V5F6LJCEQJXDBWGT27J7NAP3E3N7/
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VK2O34GH43NTHBZBN7G5Y6YKJKPUCTBE/
Mailing List
https://security.netapp.com/advisory/ntap-20240322-0001/
Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/03/15/1
Mailing List
Patch
Release Notes
https://github.com/libexpat/libexpat/issues/839
Exploit
Issue Tracking
Patch
https://github.com/libexpat/libexpat/pull/842
Issue Tracking
Patch
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPLC6WDSRDUYS7F7JWAOVOHFNOUQ43DD/
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKJ7V5F6LJCEQJXDBWGT27J7NAP3E3N7/
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VK2O34GH43NTHBZBN7G5Y6YKJKPUCTBE/
Mailing List
https://security.netapp.com/advisory/ntap-20240322-0001/
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:*

Версия до 2.6.2 (исключая)

Конфигурация 2

Одно из

cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*

cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:ontap:9:*:*:*:*:*:*:*

cpe:2.3:a:netapp:ontap_tools:10:*:*:*:*:vmware_vsphere:*:*

cpe:2.3:a:netapp:windows_host_utilities:-:*:*:*:*:*:*:*

Конфигурация 4

Одновременно

cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*

Конфигурация 5

Одновременно

cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*

Конфигурация 6

Одновременно

cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*

Конфигурация 7

Одновременно

cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*

Конфигурация 8

Одновременно

cpe:2.3:o:netapp:h410c_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h410c:-:*:*:*:*:*:*:*

Конфигурация 9

Одновременно

cpe:2.3:o:netapp:h610c_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h610c:-:*:*:*:*:*:*:*

Конфигурация 10

Одновременно

cpe:2.3:o:netapp:h610s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h610s:-:*:*:*:*:*:*:*

EPSS

Процентиль: 64%

0.00474

Низкий

7.5 High

CVSS3

Дефекты

CWE-776

Связанные уязвимости

CVE-2024-28757

CVSS3: 7.5

ubuntu

больше 1 года назад

libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).

CVE-2024-28757

CVSS3: 7.5

redhat

больше 1 года назад

libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).

CVE-2024-28757

CVSS3: 7.5

msrc

4 месяца назад

Описание отсутствует

CVE-2024-28757

CVSS3: 7.5

debian

больше 1 года назад

libexpat through 2.6.1 allows an XML Entity Expansion attack when ther ...

GHSA-ch5v-h69f-mxc8

CVSS3: 7.5

github

больше 1 года назад

libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).

EPSS

Процентиль: 64%

0.00474

Низкий

7.5 High

CVSS3

Дефекты

CWE-776