Lucene search

K
cve[email protected]CVE-2013-0340
HistoryJan 21, 2014 - 6:55 p.m.

CVE-2013-0340

2014-01-2118:55:09
CWE-611
web.nvd.nist.gov
563
4
cve-2013-0340
expat 2.1.0
xxe
denial of service
resource consumption
xml document
nvd

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

7.1 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

76.9%

expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.

Affected configurations

NVD
Node
libexpat_projectlibexpatRange<2.4.0
Node
pythonpythonRange3.6.03.6.15
OR
pythonpythonRange3.7.03.7.12
OR
pythonpythonRange3.8.03.8.12
OR
pythonpythonRange3.9.03.9.7
Node
appleipadosRange<14.8
OR
appleiphone_osRange<14.8
OR
applemacosRange<11.6
OR
appletvosRange<15.0
OR
applewatchosRange<8.0

References

Social References

More

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

7.1 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

76.9%