Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
4.3
CVSSv2

CVE-2014-0191

Published: 21/01/2015 Updated: 29/08/2017
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
VMScore: 383
Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P
Subscribe to Oracle

Vulnerability Summary

The xmlParserHandlePEReference function in parser.c in libxml2 prior to 2.9.2, as used in Web Listener in Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products, loads external parameter entities regardless of whether entity substitution or validation is enabled, which allows remote malicious users to cause a denial of service (resource consumption) via a crafted XML document.

Vulnerable Product Search on Vulmon Subscribe to Product

oracle fusion middleware 11.1.1.7.0

oracle fusion middleware 12.1.2.0.0

oracle fusion middleware 12.1.3.0.0

Vendor Advisories

Ubuntu Security Notice: libxml2 vulnerability
libxml2 could be made to consume resources if it processed a specially crafted file ...
Debian CVElist Bug Report Logs: CVE-2014-3660 libxml2 billion laugh variant
Debian Bug report logs - #765722 CVE-2014-3660 libxml2 billion laugh variant Package: libxml2; Maintainer for libxml2 is Debian XML/SGML Group <debian-xml-sgml-pkgs@listsaliothdebianorg>; Source for libxml2 is src:libxml2 (PTS, buildd, popcon) Reported by: Thijs Kinkhorst <thijs@debianorg> Date: Fri, 17 Oct 2014 ...
Debian CVElist Bug Report Logs: CVE-2014-0191
Debian Bug report logs - #747309 CVE-2014-0191 Package: libxml2; Maintainer for libxml2 is Debian XML/SGML Group <debian-xml-sgml-pkgs@listsaliothdebianorg>; Source for libxml2 is src:libxml2 (PTS, buildd, popcon) Reported by: Moritz Muehlenhoff <jmm@debianorg> Date: Wed, 7 May 2014 11:45:01 UTC Severity: grave ...
Debian Security Advisories: DSA-2978-1 libxml2 -- security update
Daniel P Berrange discovered a denial of service vulnerability in libxml2 entity substitution For the stable distribution (wheezy), this problem has been fixed in version 280+dfsg1-7+wheezy1 For the unstable distribution (sid), this problem has been fixed in version 291+dfsg1-4 We recommend that you upgrade your libxml2 packages ...
Amazon Linux AMI: ALAS-2014-341
It was discovered that libxml2, a library providing support to read, modify and write XML files, incorrectly performs entity substituton in the doctype prolog, even if the application using libxml2 disabled any entity substitution A remote attacker could provide a specially-crafted XML file that, when processed, would lead to the exhaustion of CPU ...
Red Hat: CVE-2014-0191
It was discovered that libxml2 loaded external parameter entities even when entity substitution was disabled A remote attacker able to provide a specially crafted XML file to an application linked against libxml2 could use this flaw to conduct XML External Entity (XXE) attacks, possibly resulting in a denial of service or an information leak on th ...

Recent Articles

Apple TV can p0wn you in more ways than it entertains you
The Register • Darren Pauli • 26 Feb 2016

Thirty-three fixes flung at Cupertino's telly-enhancer

Apple has patched 33 problems, collectively named in 58 CVEs, in its latest TV-enhancing computer-puck, of which 10 enable arbitrary code execution, six with system privileges. 32 of the flaws hit third-generation Apple TV devices and just one its newer, fatter, fourth-gen beast. The good news is that the changes will automagically appear for those users with automatic updates turned on. The rest are susceptible to nasties like a memory corruption flaw (CVE-2015-5776) that allows remote attacker...

Read more...

References

NVD-CWE-noinfohttp://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.htmlhttps://bugzilla.redhat.com/show_bug.cgi?id=1090976https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854dfhttp://xmlsoft.org/news.htmlhttp://www-01.ibm.com/support/docview.wss?uid=swg21678183http://rhn.redhat.com/errata/RHSA-2015-0749.htmlhttps://support.apple.com/kb/HT205030http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.htmlhttp://lists.apple.com/archives/security-announce/2015/Aug/msg00002.htmlhttps://support.apple.com/kb/HT205031http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.htmlhttp://lists.opensuse.org/opensuse-updates/2015-12/msg00120.htmlhttp://www.securityfocus.com/bid/67233https://exchange.xforce.ibmcloud.com/vulnerabilities/93092https://usn.ubuntu.com/2214-1/https://nvd.nist.govhttps://access.redhat.com/security/cve/cve-2014-0191
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27322administrator privilegesCVE-2024-1579hardcodedCVE-2023-20198CVE-2024-33587CVE-2024-33449CVE-2024-4308HTML injection
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook