Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2014-0191

Опубликовано: 06 мая 2014
Источник: redhat
CVSS2: 4.3

Описание

The xmlParserHandlePEReference function in parser.c in libxml2 before 2.9.2, as used in Web Listener in Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products, loads external parameter entities regardless of whether entity substitution or validation is enabled, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML document.

It was discovered that libxml2 loaded external parameter entities even when entity substitution was disabled. A remote attacker able to provide a specially crafted XML file to an application linked against libxml2 could use this flaw to conduct XML External Entity (XXE) attacks, possibly resulting in a denial of service or an information leak on the system.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 5libxml2Will not fix
Red Hat Enterprise Linux 6mingw32-libxml2Will not fix
Red Hat Enterprise Linux 6libxml2FixedRHSA-2014:051319.05.2014
Red Hat Enterprise Linux 7libxml2FixedRHSA-2015:074930.03.2015

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-611
https://bugzilla.redhat.com/show_bug.cgi?id=1090976libxml2: external parameter entity loaded when entity substitution is disabled

4.3 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2014-0191

ubuntu
почти 11 лет назад

The xmlParserHandlePEReference function in parser.c in libxml2 before 2.9.2, as used in Web Listener in Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products, loads external parameter entities regardless of whether entity substitution or validation is enabled, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML document.

nvd логотип

CVE-2014-0191

nvd
почти 11 лет назад

The xmlParserHandlePEReference function in parser.c in libxml2 before 2.9.2, as used in Web Listener in Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products, loads external parameter entities regardless of whether entity substitution or validation is enabled, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML document.

debian логотип

CVE-2014-0191

debian
почти 11 лет назад

The xmlParserHandlePEReference function in parser.c in libxml2 before ...

suse-cvrf логотип

SUSE-RU-2016:2413-1

suse-cvrf
около 9 лет назад

Recommended update for libxml2

github логотип

GHSA-hwp3-c628-9f7v

github
больше 3 лет назад

The xmlParserHandlePEReference function in parser.c in libxml2 before 2.9.2, as used in Web Listener in Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products, loads external parameter entities regardless of whether entity substitution or validation is enabled, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML document.

4.3 Medium

CVSS2