CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
27.8%
DISPUTED Xmlsoft Libxml2 v2.11.0 was discovered to contain an
out-of-bounds read via the xmlSAX2StartElement() function at
/libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of
Service (DoS) via supplying a crafted XML file. NOTE: the vendor’s position
is that the product does not support the legacy SAX1 interface with custom
callbacks; there is a crash even without crafted input.
Author | Note |
---|---|
ccdm94 | as explained by upstream in issue #535, this is not considered a security issue, but, instead, a mode of operation that was not working properly, regardless of the input provided. It is also not possible to reproduce the issue in versions older than 2.11.0, meaning, no Ubuntu releases as of 2022-11-21 would allow this, the provided PoC not being able to generate the crash on these releases. |
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
27.8%