Veracode Vulnerability DatabaseVERACODE:44759

HistoryDec 20, 2023 - 7:42 a.m.

Denial Of Service (DoS)

2023-12-2007:42:35

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

denial of service

libtinyxml.so

vulnerability

tinyxmlparser.cpp

crafted xml document

reachable assertion

6.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

19.2%

JSON

libtinyxml.so is vulnerable to Denial Of Service (DoS). The vulnerability arises due to a reachable assertion in tinyxmlparser.cpp. An attacker can potentially crash the application via a crafted XML document with a \0 located after a whitespace.

CPENameOperatorVersion
libtinyxml.sole2.6.2
libtinyxml.sole2.6.2

CPE	Name	Operator	Version
	libtinyxml.so	le	2.6.2
	libtinyxml.so	le	2.6.2

References

bugzilla.suse.com/show_bug.cgi?id=1218040

lists.debian.org/debian-lts-announce/2023/12/msg00024.html

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4QCR5PIOBGDIDS6SYRESTMDJSEDFSCOE/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HOMBSHRIW5Q34SQSXYURYAOYDZD2NQF6/

sourceforge.net/p/tinyxml/git/ci/master/tree/tinyxmlparser.cpp

www.forescout.com/resources/sierra21-vulnerabilities