Lucene search

[email protected]NVD:CVE-2014-3660

HistoryNov 04, 2014 - 4:55 p.m.

CVE-2014-3660

2014-11-0416:55:06

[email protected]

web.nvd.nist.gov

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

7.2 High

AI Score

Confidence

High

0.01 Low

EPSS

Percentile

83.6%

JSON

parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the “billion laughs” attack.

Affected configurations

NVD

Node

xmlsoftlibxml2Range≤2.9.1

xmlsoftlibxml2Match2.0.0

xmlsoftlibxml2Match2.1.0

xmlsoftlibxml2Match2.1.1

xmlsoftlibxml2Match2.2.0

xmlsoftlibxml2Match2.2.0beta

xmlsoftlibxml2Match2.2.1

xmlsoftlibxml2Match2.2.2

xmlsoftlibxml2Match2.2.3

xmlsoftlibxml2Match2.2.4

xmlsoftlibxml2Match2.2.5

xmlsoftlibxml2Match2.2.6

xmlsoftlibxml2Match2.2.7

xmlsoftlibxml2Match2.2.8

xmlsoftlibxml2Match2.2.9

xmlsoftlibxml2Match2.2.10

xmlsoftlibxml2Match2.2.11

xmlsoftlibxml2Match2.3.0

xmlsoftlibxml2Match2.3.1

xmlsoftlibxml2Match2.3.2

xmlsoftlibxml2Match2.3.3

xmlsoftlibxml2Match2.3.4

xmlsoftlibxml2Match2.3.5

xmlsoftlibxml2Match2.3.6

xmlsoftlibxml2Match2.3.7

xmlsoftlibxml2Match2.3.8

xmlsoftlibxml2Match2.3.9

xmlsoftlibxml2Match2.3.10

xmlsoftlibxml2Match2.3.11

xmlsoftlibxml2Match2.3.12

xmlsoftlibxml2Match2.3.13

xmlsoftlibxml2Match2.3.14

xmlsoftlibxml2Match2.4.1

xmlsoftlibxml2Match2.4.2

xmlsoftlibxml2Match2.4.3

xmlsoftlibxml2Match2.4.4

xmlsoftlibxml2Match2.4.5

xmlsoftlibxml2Match2.4.6

xmlsoftlibxml2Match2.4.7

xmlsoftlibxml2Match2.4.8

xmlsoftlibxml2Match2.4.9

xmlsoftlibxml2Match2.4.10

xmlsoftlibxml2Match2.4.11

xmlsoftlibxml2Match2.4.12

xmlsoftlibxml2Match2.4.13

xmlsoftlibxml2Match2.4.14

xmlsoftlibxml2Match2.4.15

xmlsoftlibxml2Match2.4.16

xmlsoftlibxml2Match2.4.17

xmlsoftlibxml2Match2.4.18

xmlsoftlibxml2Match2.4.19

xmlsoftlibxml2Match2.4.20

xmlsoftlibxml2Match2.4.21

xmlsoftlibxml2Match2.4.22

xmlsoftlibxml2Match2.4.23

xmlsoftlibxml2Match2.4.24

xmlsoftlibxml2Match2.4.25

xmlsoftlibxml2Match2.4.26

xmlsoftlibxml2Match2.4.27

xmlsoftlibxml2Match2.4.28

xmlsoftlibxml2Match2.4.29

xmlsoftlibxml2Match2.4.30

xmlsoftlibxml2Match2.5.0

xmlsoftlibxml2Match2.5.4

xmlsoftlibxml2Match2.5.7

xmlsoftlibxml2Match2.5.8

xmlsoftlibxml2Match2.5.10

xmlsoftlibxml2Match2.5.11

xmlsoftlibxml2Match2.6.0

xmlsoftlibxml2Match2.6.1

xmlsoftlibxml2Match2.6.2

xmlsoftlibxml2Match2.6.3

xmlsoftlibxml2Match2.6.4

xmlsoftlibxml2Match2.6.5

xmlsoftlibxml2Match2.6.6

xmlsoftlibxml2Match2.6.7

xmlsoftlibxml2Match2.6.8

xmlsoftlibxml2Match2.6.9

xmlsoftlibxml2Match2.6.11

xmlsoftlibxml2Match2.6.12

xmlsoftlibxml2Match2.6.13

xmlsoftlibxml2Match2.6.14

xmlsoftlibxml2Match2.6.16

xmlsoftlibxml2Match2.6.17

xmlsoftlibxml2Match2.6.18

xmlsoftlibxml2Match2.6.20

xmlsoftlibxml2Match2.6.21

xmlsoftlibxml2Match2.6.22

xmlsoftlibxml2Match2.6.23

xmlsoftlibxml2Match2.6.24

xmlsoftlibxml2Match2.6.25

xmlsoftlibxml2Match2.6.26

xmlsoftlibxml2Match2.6.27

xmlsoftlibxml2Match2.6.28

xmlsoftlibxml2Match2.6.29

xmlsoftlibxml2Match2.6.30

xmlsoftlibxml2Match2.6.31

xmlsoftlibxml2Match2.6.32

xmlsoftlibxml2Match2.7.0

xmlsoftlibxml2Match2.7.1

xmlsoftlibxml2Match2.7.2

xmlsoftlibxml2Match2.7.3

xmlsoftlibxml2Match2.7.4

xmlsoftlibxml2Match2.7.5

xmlsoftlibxml2Match2.7.6

xmlsoftlibxml2Match2.7.7

xmlsoftlibxml2Match2.7.8

xmlsoftlibxml2Match2.8.0

xmlsoftlibxml2Match2.9.0

xmlsoftlibxml2Match2.9.0rc1

Node

applemac_os_xRange≤10.10.4

canonicalubuntu_linuxMatch10.04lts

canonicalubuntu_linuxMatch12.04lts

canonicalubuntu_linuxMatch14.04lts

debiandebian_linuxMatch7.0

redhatenterprise_linuxMatch5.0

References

kb.juniper.net/InfoCenter/index?page=content&id=JSA10705

lists.apple.com/archives/security-announce/2015/Aug/msg00001.html

lists.apple.com/archives/security-announce/2015/Aug/msg00002.html

lists.opensuse.org/opensuse-updates/2014-10/msg00034.html

lists.opensuse.org/opensuse-updates/2015-12/msg00120.html

rhn.redhat.com/errata/RHSA-2014-1655.html

rhn.redhat.com/errata/RHSA-2014-1885.html

secunia.com/advisories/59903

secunia.com/advisories/61965

secunia.com/advisories/61966

secunia.com/advisories/61991

www.debian.org/security/2014/dsa-3057

www.mandriva.com/security/advisories?name=MDVSA-2014:244

www.openwall.com/lists/oss-security/2014/10/17/7

www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html

www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html

www.securityfocus.com/bid/70644

www.ubuntu.com/usn/USN-2389-1

bugzilla.redhat.com/attachment.cgi?id=944444&action=diff

bugzilla.redhat.com/show_bug.cgi?id=1149084

support.apple.com/kb/HT205030

support.apple.com/kb/HT205031

www.ncsc.nl/actueel/nieuwsberichten/kwetsbaarheid-ontdekt-in-libxml2.html

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

7.2 High

AI Score

Confidence

High

0.01 Low

EPSS

Percentile

83.6%

JSON

Related for NVD:CVE-2014-3660