Lucene search

Ubuntu.comUB:CVE-2010-4657

HistoryNov 13, 2019 - 12:00 a.m.

CVE-2010-4657

2019-11-1300:00:00

ubuntu.com

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.008 Low

EPSS

Percentile

81.2%

JSON

PHP5 before 5.4.4 allows passing invalid utf-8 strings via the
xmlTextWriterWriteAttribute, which are then misparsed by libxml2. This
results in memory leak into the resulting output.

Bugs

Notes

Author	Note
jdstrand	per Debian, This was initially reported to be a bug in libxml2, but it later showed that PHP
mdeslaur	can’t reproduce on quantal+ The reproducer only displays garbage if the suhosin patch is applied, which is why it doesn’t appear to work on quantal+ Need to check if libxml2 still walks past the end of the string if the suhosin patch isn’t applied. we will not be fixing this issue

References

launchpad.net/bugs/cve/CVE-2010-4657

nvd.nist.gov/vuln/detail/CVE-2010-4657

security-tracker.debian.org/tracker/CVE-2010-4657

www.cve.org/CVERecord?id=CVE-2010-4657

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.008 Low

EPSS

Percentile

81.2%

JSON

Related for UB:CVE-2010-4657