CVE-2017-9047

2017-05-1806:29:00

Google

osv.dev

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.4 High

AI Score

Confidence

High

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.046 Low

EPSS

Percentile

92.3%

JSON

A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer ‘buf’ of size ‘size’. The variable len is assigned strlen(buf). If the content->type is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content->prefix is appended to buf (if it actually fits) whereupon (ii) content->name is written to the buffer. However, the check for whether the content->name actually fits also uses ‘len’ rather than the updated buffer length strlen(buf). This allows us to write about “size” many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2, such as PHP, to crash.

CPENameOperatorVersion
libxml2eqLIBXML_2_4_12
libxml2eqCVE-2016-1836
libxml2eqLIBXML_2_2_8
libxml2eqEAZEL-NAUTILUS-MS-AUG07
libxml2eqCVE-2015-5312
libxml2eqCVE-2016-1834
libxml2eqLIB_XML_1_4
libxml2eqCVE-2016-1835
libxml2eqCVE-2015-7500
libxml2eqLIBXML_2_0_0

Name	Operator	Version
libxml2	eq	LIBXML_2_4_12
libxml2	eq	CVE-2016-1836
libxml2	eq	LIBXML_2_2_8
libxml2	eq	EAZEL-NAUTILUS-MS-AUG07
libxml2	eq	CVE-2015-5312
libxml2	eq	CVE-2016-1834
libxml2	eq	LIB_XML_1_4
libxml2	eq	CVE-2016-1835
libxml2	eq	CVE-2015-7500
libxml2	eq	LIBXML_2_0_0