Lucene search

K
nvd[email protected]NVD:CVE-2013-0340
HistoryJan 21, 2014 - 6:55 p.m.

CVE-2013-0340

2014-01-2118:55:09
CWE-611
web.nvd.nist.gov
2

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

6.8 Medium

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

76.9%

expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.

Affected configurations

NVD
Node
libexpat_projectlibexpatRange<2.4.0
Node
pythonpythonRange3.6.03.6.15
OR
pythonpythonRange3.7.03.7.12
OR
pythonpythonRange3.8.03.8.12
OR
pythonpythonRange3.9.03.9.7
Node
appleipadosRange<14.8
OR
appleiphone_osRange<14.8
OR
applemacosRange<11.6
OR
appletvosRange<15.0
OR
applewatchosRange<8.0

References

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

6.8 Medium

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

76.9%