Arbitrary Code Execution

2021-05-0815:21:58

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

JSON

libxml2 is vulnerable to arbitrary code execution. A use-after-free occurs in xmllint when --html and --push options are used, allowing an attacker to execute arbitrary code on the host OS by submitting malicious files.

CPENameOperatorVersion
libxml2:sideq2.9.10+dfsg-6.2
libxml2:stretcheq2.9.4+dfsg1-2.2+deb9u2
libxml2:bullseyeeq2.9.10+dfsg-6.2
libxml2:bustereq2.9.4+dfsg1-7+b3
libxml2:bustereq2.9.4+dfsg1-7+deb10u1
libxml2eq2.9.7__7.el8
libxml2eq2.9.7__8.el8
libxml2eq2.9.7__5.el8
libxml2:groovyeq2.9.10+dfsg-5build1
libxml2:bioniceq2.9.4+dfsg1-6.1ubuntu1

Name	Operator	Version
libxml2:sid	eq	2.9.10+dfsg-6.2
libxml2:stretch	eq	2.9.4+dfsg1-2.2+deb9u2
libxml2:bullseye	eq	2.9.10+dfsg-6.2
libxml2:buster	eq	2.9.4+dfsg1-7+b3
libxml2:buster	eq	2.9.4+dfsg1-7+deb10u1
libxml2	eq	2.9.7__7.el8
libxml2	eq	2.9.7__8.el8
libxml2	eq	2.9.7__5.el8
libxml2:groovy	eq	2.9.10+dfsg-5build1
libxml2:bionic	eq	2.9.4+dfsg1-6.1ubuntu1