CVE-2009-2414

MEDIUM

Description

Stack consumption vulnerability in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allows context-dependent attackers to cause a denial of service (application crash) via a large depth of element declarations in a DTD, related to a function recursion, as demonstrated by the Codenomicon XML fuzzing framework.

References

http://googlechromereleases.blogspot.com/2009/08/stable-update-security-fixes.html

http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html

http://lists.apple.com/archives/security-announce/2009/Nov/msg00001.html

http://lists.apple.com/archives/security-announce/2010/Jun/msg00003.html

http://lists.opensuse.org/opensuse-security-announce/2009-09/msg00001.html

http://secunia.com/advisories/35036

http://secunia.com/advisories/36207

http://secunia.com/advisories/36338

http://secunia.com/advisories/36417

http://secunia.com/advisories/36631

http://secunia.com/advisories/37346

http://secunia.com/advisories/37471

http://support.apple.com/kb/HT3937

http://support.apple.com/kb/HT3949

http://support.apple.com/kb/HT4225

http://www.cert.fi/en/reports/2009/vulnerability2009085.html

http://www.codenomicon.com/labs/xml/

http://www.debian.org/security/2009/dsa-1859

http://www.mail-archive.com/[email protected]/msg678527.html

http://www.networkworld.com/columnists/2009/080509-xml-flaw.html

http://www.openoffice.org/security/cves/CVE-2009-2414-2416.html

http://www.securityfocus.com/archive/1/507985/100/0/threaded

http://www.securityfocus.com/bid/36010

http://www.ubuntu.com/usn/USN-815-1

http://www.vmware.com/security/advisories/VMSA-2009-0016.html

http://www.vupen.com/english/advisories/2009/2420

http://www.vupen.com/english/advisories/2009/3184

http://www.vupen.com/english/advisories/2009/3217

http://www.vupen.com/english/advisories/2009/3316

https://bugzilla.redhat.com/show_bug.cgi?id=515195

https://git.gnome.org/browse/libxml2/commit/?id=489f9671e71cc44a97b23111b3126ac8a1e21a59

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10129

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8639

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00537.html

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00547.html

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00642.html

Details

Source: MITRE

Published: 2009-08-11

Updated: 2018-10-10

Type: CWE-119

Risk Information

CVSS v2.0

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:xmlsoft:libxml:1.8.17:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.5.10:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.16:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.26:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.27:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.32:*:*:*:*:*:*:*

Tenable Plugins

View all (36 total)

IDNameProductFamilySeverity
89117VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2009-0016) (remote check)NessusMisc.
critical
79462OracleVM 2.1 : libxml2 (OVMSA-2009-0018)NessusOracleVM Local Security Checks
critical
67909Oracle Linux 3 / 4 / 5 : libxml / libxml2 (ELSA-2009-1206)NessusOracle Linux Local Security Checks
medium
60637Scientific Linux Security Update : libxml and libxml2 on SL3.x, SL4.x, SL5.x i386/x86_64NessusScientific Linux Local Security Checks
medium
56772FreeBSD : libxml -- Stack consumption vulnerability (5a7d4110-0b7a-11e1-846b-00235409fd3e)NessusFreeBSD Local Security Checks
medium
51756SuSE 10 Security Update : libxml (ZYPP Patch Number 6482)NessusSuSE Local Security Checks
medium
49636GLSA-201009-07 : libxml2: Denial of ServiceNessusGentoo Local Security Checks
medium
5578Apple iOS < 4.0 Multiple VulnerabilitiesNessus Network MonitorMobile Devices
critical
44726Debian DSA-1861-1 : libxml - several vulnerabilitiesNessusDebian Local Security Checks
medium
44724Debian DSA-1859-1 : libxml2 - several vulnerabilitiesNessusDebian Local Security Checks
medium
42870VMSA-2009-0016 : VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components.NessusVMware ESX Local Security Checks
critical
42478Safari < 4.0.4 Multiple VulnerabilitiesNessusWindows
high
42477Mac OS X : Apple Safari < 4.0.4NessusMacOS X Local Security Checks
high
801003Safari < 4.0.4 Multiple VulnerabilitiesLog Correlation EngineWeb Clients
high
5232Safari < 4.0.4 Multiple VulnerabilitiesNessus Network MonitorWeb Clients
medium
800795Mac OS X 10.6 < 10.6.2 Multiple VulnerabilitiesLog Correlation EngineOperating System Detection
high
5227Mac OS X 10.6 < 10.6.2 Multiple VulnerabilitiesNessus Network MonitorGeneric
critical
42434Mac OS X 10.6.x < 10.6.2 Multiple VulnerabilitiesNessusMacOS X Local Security Checks
critical
42433Mac OS X Multiple Vulnerabilities (Security Update 2009-006)NessusMacOS X Local Security Checks
critical
42021openSUSE 10 Security Update : libxml2 (libxml2-6405)NessusSuSE Local Security Checks
medium
42020openSUSE 10 Security Update : libxml (libxml-6477)NessusSuSE Local Security Checks
medium
41325SuSE9 Security Update : libxml.rpm (YOU Patch Number 12504)NessusSuSE Local Security Checks
medium
41004openSUSE Security Update : libxml (libxml-1278)NessusSuSE Local Security Checks
medium
41002openSUSE Security Update : libxml (libxml-1278)NessusSuSE Local Security Checks
medium
40778Google Chrome < 2.0.172.43 Multiple VulnerabilitiesNessusWindows
high
40604Fedora 10 : libxml-1.8.17-24.fc10 (2009-8594)NessusFedora Local Security Checks
critical
40603Fedora 11 : libxml-1.8.17-24.fc11 (2009-8582)NessusFedora Local Security Checks
critical
40602Fedora 11 : mingw32-libxml2-2.7.3-2.fc11 (2009-8580)NessusFedora Local Security Checks
medium
40584Mandriva Linux Security Advisory : libxml (MDVSA-2009:200-1)NessusMandriva Local Security Checks
medium
40576Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : libxml2 vulnerabilities (USN-815-1)NessusUbuntu Local Security Checks
critical
40575openSUSE Security Update : libxml2 (libxml2-1175)NessusSuSE Local Security Checks
medium
40573openSUSE Security Update : libxml2 (libxml2-1175)NessusSuSE Local Security Checks
medium
40570Fedora 11 : libxml2-2.7.3-3.fc11 (2009-8498)NessusFedora Local Security Checks
medium
40569Fedora 10 : libxml2-2.7.3-2.fc10 (2009-8491)NessusFedora Local Security Checks
medium
40544RHEL 3 / 4 / 5 : libxml and libxml2 (RHSA-2009:1206)NessusRed Hat Local Security Checks
medium
40533CentOS 3 / 5 : libxml / libxml2 (CESA-2009:1206)NessusCentOS Local Security Checks
medium