CVE-2012-0876

2012-07-0319:55:00

CWE-400

[email protected]

web.nvd.nist.gov

187

xml parser

expat

hash collisions

denial of service

cve-2012-0876

nvd

6.4 Medium

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

0.004 Low

EPSS

Percentile

73.8%

JSON

The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value.

CPENameOperatorVersion
libexpat_project:libexpatlibexpat project libexpatlt2.1.0
python:pythonpythonlt3.2.3
python:pythonpythonlt3.1.5
python:pythonpythonlt2.7.3
python:pythonpythonlt2.6.8
debian:debian_linuxdebian debian linuxeq7.0
debian:debian_linuxdebian debian linuxeq6.0
canonical:ubuntu_linuxcanonical ubuntu linuxeq11.04
canonical:ubuntu_linuxcanonical ubuntu linuxeq11.10
canonical:ubuntu_linuxcanonical ubuntu linuxeq8.04

CPE	Name	Operator	Version
libexpat_project:libexpat	libexpat project libexpat	lt	2.1.0
python:python	python	lt	3.2.3
python:python	python	lt	3.1.5
python:python	python	lt	2.7.3
python:python	python	lt	2.6.8
debian:debian_linux	debian debian linux	eq	7.0
debian:debian_linux	debian debian linux	eq	6.0
canonical:ubuntu_linux	canonical ubuntu linux	eq	11.04
canonical:ubuntu_linux	canonical ubuntu linux	eq	11.10
canonical:ubuntu_linux	canonical ubuntu linux	eq	8.04