Описание
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with preserveOrder:true. Version 5.3.8 fixes the issue. As a workaround, use XML builder with preserveOrder:false or check the input data before passing to builder.
A flaw was found in fast-xml-parser. A user can exploit this flaw by processing specially crafted XML data with the XML builder when the preserveOrder option is enabled. This can lead to a stack overflow, causing the application to crash and resulting in a Denial of Service (DoS).
Меры по смягчению последствий
To mitigate this vulnerability, configure applications using the fast-xml-parser XML builder to set the preserveOrder option to false. Alternatively, ensure that all XML input data is thoroughly validated before being passed to the builder to prevent the processing of malicious or malformed content.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Migration Toolkit for Applications 8 | mta/mta-ui-rhel9 | Affected | ||
| Red Hat Advanced Cluster Security 4 | advanced-cluster-security/rhacs-main-rhel8 | Affected | ||
| Red Hat Developer Hub | rhdh/rhdh-hub-rhel9 | Affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/mcg-core-rhel9 | Affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/ocs-client-console-rhel9 | Affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/odf-console-rhel9 | Affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/odf-multicluster-console-rhel9 | Not affected | ||
| Red Hat OpenShift GitOps | openshift-gitops-1/argocd-rhel8 | Affected | ||
| Red Hat OpenShift GitOps | openshift-gitops-1/argocd-rhel9 | Affected | ||
| Red Hat OpenShift Virtualization 4 | container-native-virtualization/kubevirt-console-plugin | Affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with `preserveOrder:true`. Version 5.3.8 fixes the issue. As a workaround, use XML builder with `preserveOrder:false` or check the input data before passing to builder.
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with `preserveOrder:true`. Version 5.3.8 fixes the issue. As a workaround, use XML builder with `preserveOrder:false` or check the input data before passing to builder.
fast-xml-parser allows users to validate XML, parse XML to JS object, ...
fast-xml-parser has stack overflow in XMLBuilder with preserveOrder
EPSS
7.5 High
CVSS3