Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2014-0191

Опубликовано: 06 мая 2014
Источник: redhat
CVSS2: 4.3
EPSS Низкий

Описание

The xmlParserHandlePEReference function in parser.c in libxml2 before 2.9.2, as used in Web Listener in Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products, loads external parameter entities regardless of whether entity substitution or validation is enabled, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML document.

It was discovered that libxml2 loaded external parameter entities even when entity substitution was disabled. A remote attacker able to provide a specially crafted XML file to an application linked against libxml2 could use this flaw to conduct XML External Entity (XXE) attacks, possibly resulting in a denial of service or an information leak on the system.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 5libxml2Will not fix
Red Hat Enterprise Linux 6mingw32-libxml2Will not fix
Red Hat Enterprise Linux 6libxml2FixedRHSA-2014:051319.05.2014
Red Hat Enterprise Linux 7libxml2FixedRHSA-2015:074930.03.2015

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-611
https://bugzilla.redhat.com/show_bug.cgi?id=1090976libxml2: external parameter entity loaded when entity substitution is disabled

EPSS

Процентиль: 79%
0.01309
Низкий

4.3 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2014-0191

ubuntu
больше 10 лет назад

The xmlParserHandlePEReference function in parser.c in libxml2 before 2.9.2, as used in Web Listener in Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products, loads external parameter entities regardless of whether entity substitution or validation is enabled, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML document.

nvd логотип

CVE-2014-0191

nvd
больше 10 лет назад

The xmlParserHandlePEReference function in parser.c in libxml2 before 2.9.2, as used in Web Listener in Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products, loads external parameter entities regardless of whether entity substitution or validation is enabled, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML document.

debian логотип

CVE-2014-0191

debian
больше 10 лет назад

The xmlParserHandlePEReference function in parser.c in libxml2 before ...

suse-cvrf логотип

SUSE-RU-2016:2413-1

suse-cvrf
почти 9 лет назад

Recommended update for libxml2

github логотип

GHSA-hwp3-c628-9f7v

github
больше 3 лет назад

The xmlParserHandlePEReference function in parser.c in libxml2 before 2.9.2, as used in Web Listener in Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products, loads external parameter entities regardless of whether entity substitution or validation is enabled, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML document.

EPSS

Процентиль: 79%
0.01309
Низкий

4.3 Medium

CVSS2