Lucene search

K
rosalinuxROSA LABROSA-SA-2024-2467
HistoryAug 12, 2024 - 1:04 p.m.

Advisory ROSA-SA-2024-2467

2024-08-1213:04:30
ROSA LAB
abf.rosalinux.ru
3
libxml2
rosa-chrome
vulnerability
memory usage
denial of service
remote attack
cve-2023-45322
cve-2022-2309
fixed
update.

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.2

Confidence

Low

EPSS

0.006

Percentile

78.7%

software: libxml2 2.9.14
OS: ROSA-CHROME

package_evr_string: libxml2-2.9.14-5

CVE-ID: CVE-2023-45322
BDU-ID: 2023-06827
CVE-Crit: HIGH
CVE-DESC.: A vulnerability in the xmlUnlinkNode function (tree.c) of the libxml2 library is related to memory usage after it is freed. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service
CVE-STATUS: Fixed
CVE-REV: To close, run the command: sudo dnf update libxml2

CVE-ID: CVE-2022-2309
BDU-ID: None
CVE-Crit: HIGH
CVE-DESC.: Dereferencing a NULL pointer allows attackers to cause a denial of service (or application crash). This is only applicable when lxml is used in conjunction with libxml2. This allows failures to be caused via spoofed input, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code should not be widely used, given that parsing + iterwalk are usually replaced by the more efficient iterparse function. However, for example, an XML converter that serializes to C14N would also be vulnerable, and there are legitimate uses for this code sequence. If untrusted input data is received (also remotely) and processed using the iterwalk function, a crash may be caused.
CVE-STATUS: Fixed
CVE-REV: To close, run the command: sudo dnf update libxml2

OSVersionArchitecturePackageVersionFilename
ROSAanynoarchlibxml2< 2.9.14UNKNOWN

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.2

Confidence

Low

EPSS

0.006

Percentile

78.7%