CVE-2017-16932 - OpenCVE

parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Xmlsoft	Libxml2

Configuration 1 [-]

cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*

References

Link	Resource
http://xmlsoft.org/news.html	Release Notes Vendor Advisory
https://blog.clamav.net/2018/07/clamav-01001-has-been-released.html
https://bugzilla.gnome.org/show_bug.cgi?id=759579	Permissions Required
https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961	Patch Third Party Advisory
https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
https://lists.debian.org/debian-lts-announce/2017/11/msg00041.html
https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html
https://usn.ubuntu.com/3739-1/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2017-11-23T21:00:00

Updated: 2022-04-08T22:06:22

Reserved: 2017-11-23T00:00:00

Link: CVE-2017-16932

JSON object: View

NVD Information

Status : Modified

Published: 2017-11-23T21:29:00.437

Modified: 2023-11-07T02:40:56.917

Link: CVE-2017-16932

JSON object: View

Redhat Information

No data.

CWE

CWE-835

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-11-23T00:00:00", "descriptions": [{"lang": "en", "value": "parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-04-08T22:06:22", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://blog.clamav.net/2018/07/clamav-01001-has-been-released.html"}, {"name": "[debian-lts-announce] 20171130 [SECURITY] [DLA 1194-1] libxml2 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2017/11/msg00041.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://xmlsoft.org/news.html"}, {"name": "USN-3739-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/3739-1/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.gnome.org/show_bug.cgi?id=759579"}, {"name": "[bookkeeper-issues] 20210628 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E"}, {"name": "[bookkeeper-issues] 20210629 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E"}, {"name": "[debian-lts-announce] 20220408 [SECURITY] [DLA 2972-1] libxml2 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-16932", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://blog.clamav.net/2018/07/clamav-01001-has-been-released.html", "refsource": "CONFIRM", "url": "https://blog.clamav.net/2018/07/clamav-01001-has-been-released.html"}, {"name": "[debian-lts-announce] 20171130 [SECURITY] [DLA 1194-1] libxml2 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2017/11/msg00041.html"}, {"name": "http://xmlsoft.org/news.html", "refsource": "CONFIRM", "url": "http://xmlsoft.org/news.html"}, {"name": "USN-3739-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3739-1/"}, {"name": "https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961", "refsource": "CONFIRM", "url": "https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961"}, {"name": "https://bugzilla.gnome.org/show_bug.cgi?id=759579", "refsource": "CONFIRM", "url": "https://bugzilla.gnome.org/show_bug.cgi?id=759579"}, {"name": "[bookkeeper-issues] 20210628 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E"}, {"name": "[bookkeeper-issues] 20210629 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E"}, {"name": "[debian-lts-announce] 20220408 [SECURITY] [DLA 2972-1] libxml2 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-16932", "datePublished": "2017-11-23T21:00:00", "dateReserved": "2017-11-23T00:00:00", "dateUpdated": "2022-04-08T22:06:22", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*", "matchCriteriaId": "8CC4875D-A4B2-4A7C-B020-7C2E86412B7C", "versionEndIncluding": "2.9.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities."}, {"lang": "es", "value": "parser.c en libxml2 en versiones anteriores a la 2.9.5 no evita la recursi\u00f3n infinita en las entidades de par\u00e1metro."}], "id": "CVE-2017-16932", "lastModified": "2023-11-07T02:40:56.917", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-11-23T21:29:00.437", "references": [{"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "http://xmlsoft.org/news.html"}, {"source": "cve@mitre.org", "url": "https://blog.clamav.net/2018/07/clamav-01001-has-been-released.html"}, {"source": "cve@mitre.org", "tags": ["Permissions Required"], "url": "https://bugzilla.gnome.org/show_bug.cgi?id=759579"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961"}, {"source": "cve@mitre.org", "url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E"}, {"source": "cve@mitre.org", "url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2017/11/msg00041.html"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html"}, {"source": "cve@mitre.org", "url": "https://usn.ubuntu.com/3739-1/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-835"}], "source": "nvd@nist.gov", "type": "Primary"}]}