CVE-2009-2414

MEDIUM

Description

Stack consumption vulnerability in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allows context-dependent attackers to cause a denial of service (application crash) via a large depth of element declarations in a DTD, related to a function recursion, as demonstrated by the Codenomicon XML fuzzing framework.

References

http://googlechromereleases.blogspot.com/2009/08/stable-update-security-fixes.html

http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html

http://lists.apple.com/archives/security-announce/2009/Nov/msg00001.html

http://lists.apple.com/archives/security-announce/2010/Jun/msg00003.html

http://lists.opensuse.org/opensuse-security-announce/2009-09/msg00001.html

http://secunia.com/advisories/35036

http://secunia.com/advisories/36207

http://secunia.com/advisories/36338

http://secunia.com/advisories/36417

http://secunia.com/advisories/36631

http://secunia.com/advisories/37346

http://secunia.com/advisories/37471

http://support.apple.com/kb/HT3937

http://support.apple.com/kb/HT3949

http://support.apple.com/kb/HT4225

http://www.cert.fi/en/reports/2009/vulnerability2009085.html

http://www.codenomicon.com/labs/xml/

http://www.debian.org/security/2009/dsa-1859

http://www.mail-archive.com/[email protected]/msg678527.html

http://www.networkworld.com/columnists/2009/080509-xml-flaw.html

http://www.openoffice.org/security/cves/CVE-2009-2414-2416.html

http://www.securityfocus.com/archive/1/507985/100/0/threaded

http://www.securityfocus.com/bid/36010

http://www.ubuntu.com/usn/USN-815-1

http://www.vmware.com/security/advisories/VMSA-2009-0016.html

http://www.vupen.com/english/advisories/2009/2420

http://www.vupen.com/english/advisories/2009/3184

http://www.vupen.com/english/advisories/2009/3217

http://www.vupen.com/english/advisories/2009/3316

https://bugzilla.redhat.com/show_bug.cgi?id=515195

https://git.gnome.org/browse/libxml2/commit/?id=489f9671e71cc44a97b23111b3126ac8a1e21a59

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10129

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8639

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00537.html

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00547.html

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00642.html

Details

Source: MITRE

Published: 2009-08-11

Updated: 2018-10-10

Type: CWE-119

Risk Information

CVSS v2.0

Base Score: 4.3

Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

Tenable Plugins

View all (36 total)

ID	Name	Product	Family	Severity
89117	VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2009-0016) (remote check)	Nessus	Misc.	critical
79462	OracleVM 2.1 : libxml2 (OVMSA-2009-0018)	Nessus	OracleVM Local Security Checks	critical
67909	Oracle Linux 3 / 4 / 5 : libxml / libxml2 (ELSA-2009-1206)	Nessus	Oracle Linux Local Security Checks	medium
60637	Scientific Linux Security Update : libxml and libxml2 on SL3.x, SL4.x, SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
56772	FreeBSD : libxml -- Stack consumption vulnerability (5a7d4110-0b7a-11e1-846b-00235409fd3e)	Nessus	FreeBSD Local Security Checks	medium
51756	SuSE 10 Security Update : libxml (ZYPP Patch Number 6482)	Nessus	SuSE Local Security Checks	medium
49636	GLSA-201009-07 : libxml2: Denial of Service	Nessus	Gentoo Local Security Checks	medium
5578	Apple iOS < 4.0 Multiple Vulnerabilities	Nessus Network Monitor	Mobile Devices	critical
44726	Debian DSA-1861-1 : libxml - several vulnerabilities	Nessus	Debian Local Security Checks	medium
44724	Debian DSA-1859-1 : libxml2 - several vulnerabilities	Nessus	Debian Local Security Checks	medium
42870	VMSA-2009-0016 : VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components.	Nessus	VMware ESX Local Security Checks	critical
42478	Safari < 4.0.4 Multiple Vulnerabilities	Nessus	Windows	high
42477	Mac OS X : Apple Safari < 4.0.4	Nessus	MacOS X Local Security Checks	high
801003	Safari < 4.0.4 Multiple Vulnerabilities	Log Correlation Engine	Web Clients	high
5232	Safari < 4.0.4 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	medium
800795	Mac OS X 10.6 < 10.6.2 Multiple Vulnerabilities	Log Correlation Engine	Operating System Detection	high
5227	Mac OS X 10.6 < 10.6.2 Multiple Vulnerabilities	Nessus Network Monitor	Generic	critical
42434	Mac OS X 10.6.x < 10.6.2 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	critical
42433	Mac OS X Multiple Vulnerabilities (Security Update 2009-006)	Nessus	MacOS X Local Security Checks	critical
42021	openSUSE 10 Security Update : libxml2 (libxml2-6405)	Nessus	SuSE Local Security Checks	medium
42020	openSUSE 10 Security Update : libxml (libxml-6477)	Nessus	SuSE Local Security Checks	medium
41325	SuSE9 Security Update : libxml.rpm (YOU Patch Number 12504)	Nessus	SuSE Local Security Checks	medium
41004	openSUSE Security Update : libxml (libxml-1278)	Nessus	SuSE Local Security Checks	medium
41002	openSUSE Security Update : libxml (libxml-1278)	Nessus	SuSE Local Security Checks	medium
40778	Google Chrome < 2.0.172.43 Multiple Vulnerabilities	Nessus	Windows	high
40604	Fedora 10 : libxml-1.8.17-24.fc10 (2009-8594)	Nessus	Fedora Local Security Checks	critical
40603	Fedora 11 : libxml-1.8.17-24.fc11 (2009-8582)	Nessus	Fedora Local Security Checks	critical
40602	Fedora 11 : mingw32-libxml2-2.7.3-2.fc11 (2009-8580)	Nessus	Fedora Local Security Checks	medium
40584	Mandriva Linux Security Advisory : libxml (MDVSA-2009:200-1)	Nessus	Mandriva Local Security Checks	medium
40576	Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : libxml2 vulnerabilities (USN-815-1)	Nessus	Ubuntu Local Security Checks	critical
40575	openSUSE Security Update : libxml2 (libxml2-1175)	Nessus	SuSE Local Security Checks	medium
40573	openSUSE Security Update : libxml2 (libxml2-1175)	Nessus	SuSE Local Security Checks	medium
40570	Fedora 11 : libxml2-2.7.3-3.fc11 (2009-8498)	Nessus	Fedora Local Security Checks	medium
40569	Fedora 10 : libxml2-2.7.3-2.fc10 (2009-8491)	Nessus	Fedora Local Security Checks	medium
40544	RHEL 3 / 4 / 5 : libxml and libxml2 (RHSA-2009:1206)	Nessus	Red Hat Local Security Checks	medium
40533	CentOS 3 / 5 : libxml / libxml2 (CESA-2009:1206)	Nessus	CentOS Local Security Checks	medium