libxml2 2.6.32 and earlier does not properly detect recursion during entity expansion in an attribute value, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:M/Au:N/C:N/I:N/A:P
Vendors Products
Apple
  • Iphone Os
  • Safari
Xmlsoft
  • Libxml2
Canonical
  • Ubuntu Linux
Fedoraproject
  • Fedora
Vmware
  • Esx
Debian
  • Debian Linux
Redhat
  • Enterprise Linux Desktop
  • Enterprise Linux Workstation
  • Enterprise Linux Server
  • Enterprise Linux Eus

Configuration 1 [-]

cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:o:fedoraproject:fedora:9:*:*:*:*:*:*:*

Configuration 4 [-]

OR cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:7.04:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:7.10:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:*:*:*:*

Configuration 5 [-]

cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*

Configuration 6 [-]

OR cpe:2.3:o:redhat:enterprise_linux_desktop:3.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:4.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:4.7:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:5.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:2.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:3.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:4.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:2.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:3.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:4.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:*

Configuration 7 [-]

OR cpe:2.3:o:vmware:esx:2.5.4:*:*:*:*:*:*:*
cpe:2.3:o:vmware:esx:2.5.5:*:*:*:*:*:*:*
cpe:2.3:o:vmware:esx:3.0.2:*:*:*:*:*:*:*
cpe:2.3:o:vmware:esx:3.0.3:*:*:*:*:*:*:*
References
Link Resource
http://lists.apple.com/archives/security-announce/2009/Jun/msg00005.html Mailing List
http://lists.apple.com/archives/security-announce/2009/jun/msg00002.html Broken Link Mailing List
http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html Mailing List
http://lists.vmware.com/pipermail/security-announce/2008/000039.html Broken Link
http://mail.gnome.org/archives/xml/2008-August/msg00034.html Mailing List Patch
http://secunia.com/advisories/31558 Broken Link
http://secunia.com/advisories/31566 Broken Link
http://secunia.com/advisories/31590 Broken Link
http://secunia.com/advisories/31728 Broken Link
http://secunia.com/advisories/31748 Broken Link
http://secunia.com/advisories/31855 Broken Link
http://secunia.com/advisories/31982 Broken Link
http://secunia.com/advisories/32488 Broken Link
http://secunia.com/advisories/32807 Broken Link
http://secunia.com/advisories/32974 Broken Link
http://secunia.com/advisories/35379 Broken Link
http://security.gentoo.org/glsa/glsa-200812-06.xml Third Party Advisory
http://support.apple.com/kb/HT3613 Third Party Advisory
http://support.apple.com/kb/HT3639 Third Party Advisory
http://svn.gnome.org/viewvc/libxml2?view=revision&revision=3772 Broken Link
http://wiki.rpath.com/Advisories:rPSA-2008-0325 Broken Link
http://www.debian.org/security/2008/dsa-1631 Mailing List Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2008:180 Broken Link
http://www.mandriva.com/security/advisories?name=MDVSA-2008:192 Broken Link
http://www.securityfocus.com/archive/1/497962/100/0/threaded Broken Link Third Party Advisory VDB Entry
http://www.securityfocus.com/bid/30783 Broken Link Patch Third Party Advisory VDB Entry
http://www.securitytracker.com/id?1020728 Broken Link Third Party Advisory VDB Entry
http://www.ubuntu.com/usn/usn-640-1 Third Party Advisory
http://www.vmware.com/security/advisories/VMSA-2008-0017.html Third Party Advisory
http://www.vupen.com/english/advisories/2008/2419 Broken Link
http://www.vupen.com/english/advisories/2008/2843 Broken Link
http://www.vupen.com/english/advisories/2008/2971 Broken Link
http://www.vupen.com/english/advisories/2009/1522 Broken Link
http://www.vupen.com/english/advisories/2009/1621 Broken Link
http://xmlsoft.org/news.html Release Notes
https://bugzilla.redhat.com/show_bug.cgi?id=458086 Issue Tracking
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6496 Broken Link
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9812 Broken Link
https://rhn.redhat.com/errata/RHSA-2008-0836.html Third Party Advisory
https://usn.ubuntu.com/644-1/ Broken Link
https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00261.html Mailing List
https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00347.html Mailing List
History

No history.

cve-icon MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2008-08-27T20:00:00

Updated: 2018-10-11T19:57:01

Reserved: 2008-07-24T00:00:00

Link: CVE-2008-3281

JSON object: View

cve-icon NVD Information

Status : Analyzed

Published: 2008-08-27T20:41:00.000

Modified: 2024-02-02T15:02:14.603

Link: CVE-2008-3281

JSON object: View

cve-icon Redhat Information

No data.

CWE