Lucene search

K
ubuntucveUbuntu.comUB:CVE-2013-0340
HistoryJan 21, 2014 - 12:00 a.m.

CVE-2013-0340

2014-01-2100:00:00
ubuntu.com
ubuntu.com
18

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.005 Low

EPSS

Percentile

76.9%

expat 2.1.0 and earlier does not properly handle entities expansion unless
an application developer uses the XML_SetEntityDeclHandler function, which
allows remote attackers to cause a denial of service (resource
consumption), send HTTP requests to intranet servers, or read arbitrary
files via a crafted XML document, aka an XML External Entity (XXE) issue.
NOTE: it could be argued that because expat already provides the ability to
disable external entity expansion, the responsibility for resolving this
issue lies with application developers; according to this argument, this
entry should be REJECTed, and each affected application would need its own
CVE.

Bugs

Notes

Author Note
jdstrand PoC in oss-sec no upstream commits as of 2013-03-21. Contacted upstream on their (possibly moderated) expat-bugs mailing list since their bug tracker was down still no commits or upstream comments as of 2013-04-23
mdeslaur Expat does not read or parse external entities directly, it is up to applications to do so. http://seclists.org/oss-sec/2013/q2/78 marking as ignored, application-specific CVEs should be assigned to individual applications.
seth-arnold upstream libexpat has introduced heuristics in 2.4.0 to limit the damage due to various entity expansion issues. These fixes won’t be backported to previous releases due to the risk of regression due to the size, complexity, and new APIs.

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.005 Low

EPSS

Percentile

76.9%