libxml2, possibly before 2.5.0, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, aka the "billion laughs attack."
References
Link | Resource |
---|---|
http://mail.gnome.org/archives/xml/2008-August/msg00034.html | Mailing List Patch |
http://secunia.com/advisories/31868 | Broken Link |
http://www.reddit.com/r/programming/comments/65843/time_to_upgrade_libxml2 | Issue Tracking |
http://www.redhat.com/support/errata/RHSA-2008-0886.html | Broken Link |
http://www.stylusstudio.com/xmldev/200302/post20020.html | Broken Link |
http://xmlsoft.org/news.html | Release Notes |
Configurations
History
02 Feb 2024, 14:10
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:xmlsoft:libxml2:2.1.1:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:1.8.7:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:1.7.3:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.4.20:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.1.0:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.3.2:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.4.23:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.3.7:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.2.10:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.2.6:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.4.8:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.4.2:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:1.7.1:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:1.8.4:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.2.0:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.4.13:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.5.0:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.4.26:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.4.28:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.2.4:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.3.14:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.4.9:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.4.19:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.3.12:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:1.8.10:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.3.3:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.4.4:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.4.1:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:1.7.2:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.2.7:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.3.9:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.4.15:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.2.3:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:1.8.6:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:1.8.2:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.4.18:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.2.9:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:1.8.5:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.4.24:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.2.11:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.3.0:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:1.8.0:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.3.6:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:1.7.4:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:1.8.1:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.4.11:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:1.7.0:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.4.12:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.2.2:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.2.8:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.4.27:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.4.7:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:1.8.3:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.3.4:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.4.10:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.4.22:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.3.13:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.2.5:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.4.16:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:1.8.14:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.3.10:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:1.8.13:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.3.5:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.3.8:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.4.29:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:1.8.9:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.4.30:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.4.3:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.2.0:beta:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.4.17:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.4.5:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.4.6:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.3.11:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.4.25:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:2.4.14:*:*:*:*:*:*:* cpe:2.3:a:xmlsoft:libxml2:1.8.16:*:*:*:*:*:*:* |
cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:* |
CVSS |
v2 : v3 : |
v2 : 9.3
v3 : 6.5 |
CWE | CWE-776 | |
References | (MLIST) http://www.stylusstudio.com/xmldev/200302/post20020.html - Broken Link | |
References | (SECUNIA) http://secunia.com/advisories/31868 - Broken Link | |
References | (MISC) http://www.reddit.com/r/programming/comments/65843/time_to_upgrade_libxml2 - Issue Tracking | |
References | (REDHAT) http://www.redhat.com/support/errata/RHSA-2008-0886.html - Broken Link | |
References | (MISC) http://xmlsoft.org/news.html - Release Notes | |
References | (MLIST) http://mail.gnome.org/archives/xml/2008-August/msg00034.html - Mailing List, Patch |
Information
Published : 2003-12-31 05:00
Updated : 2024-02-28 10:24
NVD link : CVE-2003-1564
Mitre link : CVE-2003-1564
CVE.ORG link : CVE-2003-1564
JSON object : View
Products Affected
xmlsoft
- libxml2
CWE
CWE-776
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')