{ "version": "1", "package": [ { "name": "expat-native", "layer": "meta", "version": "2.6.3", "products": [ { "product": "expat", "cvesInRecord": "No" }, { "product": "libexpat", "cvesInRecord": "Yes" } ], "issue": [ { "id": "CVE-2009-3560", "summary": "The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c, a different vulnerability than CVE-2009-2625 and CVE-2009-3720.", "scorev2": "5.0", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3560" }, { "id": "CVE-2009-3720", "summary": "The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625.", "scorev2": "5.0", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3720" }, { "id": "CVE-2012-0876", "summary": "The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value.", "scorev2": "4.3", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0876" }, { "id": "CVE-2012-1147", "summary": "readfilemap.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (file descriptor consumption) via a large number of crafted XML files.", "scorev2": "4.3", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1147" }, { "id": "CVE-2012-1148", "summary": "Memory leak in the poolGrow function in expat/lib/xmlparse.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (memory consumption) via a large number of crafted XML files that cause improperly-handled reallocation failures when expanding entities.", "scorev2": "5.0", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1148" }, { "id": "CVE-2012-6702", "summary": "Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function.", "scorev2": "4.3", "scorev3": "5.9", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6702" }, { "id": "CVE-2013-0340", "summary": "expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.", "scorev2": "6.8", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0340" }, { "id": "CVE-2015-1283", "summary": "Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted XML data, a related issue to CVE-2015-2716.", "scorev2": "6.8", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1283" }, { "id": "CVE-2016-0718", "summary": "Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.", "scorev2": "7.5", "scorev3": "9.8", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0718" }, { "id": "CVE-2016-4472", "summary": "The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716.", "scorev2": "6.8", "scorev3": "8.1", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4472" }, { "id": "CVE-2016-5300", "summary": "The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876.", "scorev2": "7.8", "scorev3": "7.5", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5300" }, { "id": "CVE-2017-11742", "summary": "The writeRandomBytes_RtlGenRandom function in xmlparse.c in libexpat in Expat 2.2.1 and 2.2.2 on Windows allows local users to gain privileges via a Trojan horse ADVAPI32.DLL in the current working directory because of an untrusted search path, aka DLL hijacking.", "scorev2": "4.6", "scorev3": "7.8", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11742" }, { "id": "CVE-2017-9233", "summary": "XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.", "scorev2": "5.0", "scorev3": "7.5", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9233" }, { "id": "CVE-2018-20843", "summary": "In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).", "scorev2": "7.8", "scorev3": "7.5", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20843" }, { "id": "CVE-2019-15903", "summary": "In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.", "scorev2": "5.0", "scorev3": "7.5", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15903" }, { "id": "CVE-2021-45960", "summary": "In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).", "scorev2": "9.0", "scorev3": "8.8", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-45960" }, { "id": "CVE-2021-46143", "summary": "In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.", "scorev2": "6.8", "scorev3": "7.8", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46143" }, { "id": "CVE-2022-22822", "summary": "addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.", "scorev2": "7.5", "scorev3": "9.8", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-22822" }, { "id": "CVE-2022-22823", "summary": "build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.", "scorev2": "7.5", "scorev3": "9.8", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-22823" }, { "id": "CVE-2022-22824", "summary": "defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.", "scorev2": "7.5", "scorev3": "9.8", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-22824" }, { "id": "CVE-2022-22825", "summary": "lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.", "scorev2": "6.8", "scorev3": "8.8", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-22825" }, { "id": "CVE-2022-22826", "summary": "nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.", "scorev2": "6.8", "scorev3": "8.8", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-22826" }, { "id": "CVE-2022-22827", "summary": "storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.", "scorev2": "6.8", "scorev3": "8.8", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-22827" }, { "id": "CVE-2022-23852", "summary": "Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.", "scorev2": "7.5", "scorev3": "9.8", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-23852" }, { "id": "CVE-2022-23990", "summary": "Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.", "scorev2": "5.0", "scorev3": "7.5", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-23990" }, { "id": "CVE-2022-25235", "summary": "xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.", "scorev2": "7.5", "scorev3": "9.8", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25235" }, { "id": "CVE-2022-25236", "summary": "xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.", "scorev2": "7.5", "scorev3": "9.8", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25236" }, { "id": "CVE-2022-25313", "summary": "In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.", "scorev2": "4.3", "scorev3": "6.5", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25313" }, { "id": "CVE-2022-25314", "summary": "In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.", "scorev2": "5.0", "scorev3": "7.5", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25314" }, { "id": "CVE-2022-25315", "summary": "In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.", "scorev2": "7.5", "scorev3": "9.8", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25315" }, { "id": "CVE-2022-40674", "summary": "libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.", "scorev2": "0.0", "scorev3": "8.1", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40674" }, { "id": "CVE-2022-43680", "summary": "In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.", "scorev2": "0.0", "scorev3": "7.5", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43680" }, { "id": "CVE-2023-52425", "summary": "libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.", "scorev2": "0.0", "scorev3": "7.5", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52425" }, { "id": "CVE-2023-52426", "summary": "libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.", "scorev2": "0.0", "scorev3": "5.5", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52426" }, { "id": "CVE-2024-45490", "summary": "An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.", "scorev2": "0.0", "scorev3": "7.5", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-45490" }, { "id": "CVE-2024-45491", "summary": "An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).", "scorev2": "0.0", "scorev3": "9.8", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-45491" }, { "id": "CVE-2024-45492", "summary": "An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).", "scorev2": "0.0", "scorev3": "9.8", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-45492" } ] } ] }