GoogleOSV:HSEC-2023-0004xml-conduit unbounded entity expansion
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
49.7%
xml-conduit unbounded entity expansion
A vulnerability was found in xml-conduit. It has been classified
as problematic. Affected is an unknown function of the file
xml-conduit/src/Text/XML/Stream/Parse.hs of the component DOCTYPE
Entity Expansion Handler. The manipulation leads to infinite loop.
It is possible to launch the attack remotely. Upgrading to version
1.9.1.0 is able to address this issue. The name of the patch is
4be1021791dcdee8b164d239433a2043dc0939ea. It is recommended to
upgrade the affected component.
| CPE | Name | Operator | Version |
|---|---|---|---|
| xml-conduit | eq | 0.7.0.1 | |
| xml-conduit | eq | 1.3.4 | |
| xml-conduit | eq | 1.4.0.4 | |
| xml-conduit | eq | 1.6.0 | |
| xml-conduit | eq | 1.2.6 | |
| xml-conduit | eq | 1.8.0 | |
| xml-conduit | eq | 1.0.3 | |
| xml-conduit | eq | 1.2.5.1 | |
| xml-conduit | eq | 1.4.0.2 | |
| xml-conduit | eq | 1.2.0 |
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
49.7%