Lucene search

GitHub Advisory DatabaseGHSA-7GF7-JV65-WJMH

HistoryJun 05, 2023 - 6:30 a.m.

xml-rs vulnerable to denial of service via invalid token in XML document

2023-06-0506:30:15

CWE-617

GitHub Advisory Database

github.com

xml-rs crate

denial of service

invalid token

xml document

rust

crab

vulnerability

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

48.0%

JSON

The xml-rs crate >= 0.8.9 and < 0.8.14 for Rust and Crab allows a denial of service (panic) via an invalid <! token (such as <!DOCTYPEs/%<!A nesting) in an XML document.

Affected configurations

Vulners

Node

xml-rsRange0.8.9–0.8.14

VendorProductVersionCPE
*xml-rs*cpe:2.3:a:*:xml-rs:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
*	xml-rs	*	cpe:2.3:a::xml-rs::::::::*

References

github.com/00xc/xml-rs/commit/0f084d45aa53e4a27476961785f59f2bd7d59a9f

github.com/advisories/GHSA-7gf7-jv65-wjmh

github.com/netvl/xml-rs/commit/014d808be900c85a0afc5ccdfe668be040d175aa

github.com/netvl/xml-rs/commit/c09549a187e62d39d40467f129e64abf32efc35c

github.com/netvl/xml-rs/compare/0.8.13...0.8.14

github.com/netvl/xml-rs/pull/226

nvd.nist.gov/vuln/detail/CVE-2023-34411

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

48.0%

JSON

Related for GHSA-7GF7-JV65-WJMH