CVE-2008-3281

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

libxml2 2.6.32 and earlier does not properly detect recursion during entity expansion in an attribute value, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document.

References

http://lists.apple.com/archives/security-announce/2009/jun/msg00002.html

http://lists.apple.com/archives/security-announce/2009/Jun/msg00005.html

http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html

http://lists.vmware.com/pipermail/security-announce/2008/000039.html

http://mail.gnome.org/archives/xml/2008-August/msg00034.html

http://secunia.com/advisories/31558

http://secunia.com/advisories/31566

http://secunia.com/advisories/31590

http://secunia.com/advisories/31728

http://secunia.com/advisories/31748

http://secunia.com/advisories/31855

http://secunia.com/advisories/31982

http://secunia.com/advisories/32488

http://secunia.com/advisories/32807

http://secunia.com/advisories/32974

http://secunia.com/advisories/35379

http://security.gentoo.org/glsa/glsa-200812-06.xml

http://support.apple.com/kb/HT3613

http://support.apple.com/kb/HT3639

http://svn.gnome.org/viewvc/libxml2?view=revision&revision=3772

http://wiki.rpath.com/Advisories:rPSA-2008-0325

http://www.debian.org/security/2008/dsa-1631

http://www.mandriva.com/security/advisories?name=MDVSA-2008:180

http://www.mandriva.com/security/advisories?name=MDVSA-2008:192

http://www.securityfocus.com/archive/1/497962/100/0/threaded

http://www.securityfocus.com/bid/30783

http://www.securitytracker.com/id?1020728

http://www.ubuntu.com/usn/usn-640-1

http://www.vmware.com/security/advisories/VMSA-2008-0017.html

http://www.vupen.com/english/advisories/2008/2419

http://www.vupen.com/english/advisories/2008/2843

http://www.vupen.com/english/advisories/2008/2971

http://www.vupen.com/english/advisories/2009/1522

http://www.vupen.com/english/advisories/2009/1621

http://xmlsoft.org/news.html

https://bugzilla.redhat.com/show_bug.cgi?id=458086

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6496

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9812

https://rhn.redhat.com/errata/RHSA-2008-0836.html

https://usn.ubuntu.com/644-1/

https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00261.html

https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00347.html

Details

Source: MITRE

Published: 2008-08-27

Updated: 2018-10-11

Type: CWE-399

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

Tenable Plugins

View all (21 total)

IDNameProductFamilySeverity
79462OracleVM 2.1 : libxml2 (OVMSA-2009-0018)NessusOracleVM Local Security Checks
critical
67737Oracle Linux 3 / 4 / 5 : libxml2 (ELSA-2008-0836)NessusOracle Linux Local Security Checks
medium
60466Scientific Linux Security Update : libxml2 on SL3.x, SL4.x, SL5.x i386/x86_64NessusScientific Linux Local Security Checks
medium
41240SuSE9 Security Update : libxml2 (YOU Patch Number 12237)NessusSuSE Local Security Checks
critical
40384VMSA-2008-0017 : Updated ESX packages for libxml2, ucd-snmp, libtiffNessusVMware ESX Local Security Checks
critical
40056openSUSE Security Update : libxml2 (libxml2-184)NessusSuSE Local Security Checks
critical
39339Safari < 4.0 Multiple VulnerabilitiesNessusWindows
high
39338Mac OS X : Apple Safari < 4.0NessusMacOS X Local Security Checks
high
38013Mandriva Linux Security Advisory : libxml2 (MDVSA-2008:192)NessusMandriva Local Security Checks
critical
37936Ubuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : libxml2 vulnerabilities (USN-644-1)NessusUbuntu Local Security Checks
critical
36598Mandriva Linux Security Advisory : libxml2 (MDVSA-2008:180-1)NessusMandriva Local Security Checks
medium
35023GLSA-200812-06 : libxml2: Multiple vulnerabilitiesNessusGentoo Local Security Checks
critical
34416FreeBSD : libxml2 -- two vulnerabilities (d71da236-9a94-11dd-8f42-001c2514716c)NessusFreeBSD Local Security Checks
critical
34208openSUSE 10 Security Update : libxml2 (libxml2-5586)NessusSuSE Local Security Checks
critical
34207SuSE 10 Security Update : libxml2 (ZYPP Patch Number 5583)NessusSuSE Local Security Checks
critical
34147Fedora 8 : libxml2-2.6.32-2.fc8 (2008-7724)NessusFedora Local Security Checks
medium
34130Fedora 9 : libxml2-2.6.32-3.fc9 (2008-7395)NessusFedora Local Security Checks
medium
34094Ubuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : libxml2 vulnerability (USN-640-1)NessusUbuntu Local Security Checks
medium
34051CentOS 3 / 4 / 5 : libxml2 (CESA-2008:0836)NessusCentOS Local Security Checks
medium
34033Debian DSA-1631-2 : libxml2 - denial of serviceNessusDebian Local Security Checks
medium
34023RHEL 2.1 / 3 / 4 / 5 : libxml2 (RHSA-2008:0836)NessusRed Hat Local Security Checks
medium