6.7 Medium
AI Score
Confidence
High
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.005 Low
EPSS
Percentile
76.6%
expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 12 | all | expat | < 2.4.1-2 | expat_2.4.1-2_all.deb |
Debian | 11 | all | expat | <= 2.2.10-2+deb11u5 | expat_2.2.10-2+deb11u5_all.deb |
Debian | 10 | all | expat | <= 2.2.6-2+deb10u4 | expat_2.2.6-2+deb10u4_all.deb |
Debian | 999 | all | expat | < 2.4.1-2 | expat_2.4.1-2_all.deb |
Debian | 13 | all | expat | < 2.4.1-2 | expat_2.4.1-2_all.deb |