CVE-2013-0340

2014-01-2118:55:00

CWE-611

[email protected]

web.nvd.nist.gov

557

cve-2013-0340

expat 2.1.0

xxe

denial of service

resource consumption

xml document

nvd

6.7 Medium

AI Score

Confidence

High

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.005 Low

EPSS

Percentile

76.7%

JSON

expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.

CPENameOperatorVersion
libexpat_project:libexpatlibexpat project libexpatlt2.4.0
python:pythonpythonlt3.8.12
python:pythonpythonlt3.9.7
python:pythonpythonlt3.7.12
python:pythonpythonlt3.6.15
apple:ipadosapple ipadoslt14.8
apple:iphone_osapple iphone oslt14.8
apple:macosapple macoslt11.6
apple:watchosapple watchoslt8.0
apple:tvosapple tvoslt15.0

CPE	Name	Operator	Version
libexpat_project:libexpat	libexpat project libexpat	lt	2.4.0
python:python	python	lt	3.8.12
python:python	python	lt	3.9.7
python:python	python	lt	3.7.12
python:python	python	lt	3.6.15
apple:ipados	apple ipados	lt	14.8
apple:iphone_os	apple iphone os	lt	14.8
apple:macos	apple macos	lt	11.6
apple:watchos	apple watchos	lt	8.0
apple:tvos	apple tvos	lt	15.0