CVE-2009-2414

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Stack consumption vulnerability in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allows context-dependent attackers to cause a denial of service (application crash) via a large depth of element declarations in a DTD, related to a function recursion, as demonstrated by the Codenomicon XML fuzzing framework.

References

http://googlechromereleases.blogspot.com/2009/08/stable-update-security-fixes.html

http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html

http://lists.apple.com/archives/security-announce/2009/Nov/msg00001.html

http://lists.apple.com/archives/security-announce/2010/Jun/msg00003.html

http://lists.opensuse.org/opensuse-security-announce/2009-09/msg00001.html

http://secunia.com/advisories/35036

http://secunia.com/advisories/36207

http://secunia.com/advisories/36338

http://secunia.com/advisories/36417

http://secunia.com/advisories/36631

http://secunia.com/advisories/37346

http://secunia.com/advisories/37471

http://support.apple.com/kb/HT3937

http://support.apple.com/kb/HT3949

http://support.apple.com/kb/HT4225

http://www.cert.fi/en/reports/2009/vulnerability2009085.html

http://www.codenomicon.com/labs/xml/

http://www.debian.org/security/2009/dsa-1859

http://www.mail-archive.com/[email protected]/msg678527.html

http://www.networkworld.com/columnists/2009/080509-xml-flaw.html

http://www.openoffice.org/security/cves/CVE-2009-2414-2416.html

http://www.securityfocus.com/archive/1/507985/100/0/threaded

http://www.securityfocus.com/bid/36010

http://www.ubuntu.com/usn/USN-815-1

http://www.vmware.com/security/advisories/VMSA-2009-0016.html

http://www.vupen.com/english/advisories/2009/2420

http://www.vupen.com/english/advisories/2009/3184

http://www.vupen.com/english/advisories/2009/3217

http://www.vupen.com/english/advisories/2009/3316

https://bugzilla.redhat.com/show_bug.cgi?id=515195

https://git.gnome.org/browse/libxml2/commit/?id=489f9671e71cc44a97b23111b3126ac8a1e21a59

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10129

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8639

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00537.html

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00547.html

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00642.html

Details

Source: MITRE

Published: 2009-08-11

Updated: 2018-10-10

Type: CWE-119

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:xmlsoft:libxml:1.8.17:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.5.10:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.16:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.26:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.27:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.32:*:*:*:*:*:*:*

Tenable Plugins

View all (36 total)

IDNameProductFamilySeverity
89117VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2009-0016) (remote check)NessusMisc.
critical
79462OracleVM 2.1 : libxml2 (OVMSA-2009-0018)NessusOracleVM Local Security Checks
critical
67909Oracle Linux 3 / 4 / 5 : libxml / libxml2 (ELSA-2009-1206)NessusOracle Linux Local Security Checks
medium
60637Scientific Linux Security Update : libxml and libxml2 on SL3.x, SL4.x, SL5.x i386/x86_64NessusScientific Linux Local Security Checks
medium
56772FreeBSD : libxml -- Stack consumption vulnerability (5a7d4110-0b7a-11e1-846b-00235409fd3e)NessusFreeBSD Local Security Checks
medium
51756SuSE 10 Security Update : libxml (ZYPP Patch Number 6482)NessusSuSE Local Security Checks
medium
49636GLSA-201009-07 : libxml2: Denial of ServiceNessusGentoo Local Security Checks
medium
5578Apple iOS < 4.0 Multiple VulnerabilitiesNessus Network MonitorMobile Devices
critical
44726Debian DSA-1861-1 : libxml - several vulnerabilitiesNessusDebian Local Security Checks
medium
44724Debian DSA-1859-1 : libxml2 - several vulnerabilitiesNessusDebian Local Security Checks
medium
42870VMSA-2009-0016 : VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components.NessusVMware ESX Local Security Checks
medium
42478Safari < 4.0.4 Multiple VulnerabilitiesNessusWindows
high
42477Mac OS X : Apple Safari < 4.0.4NessusMacOS X Local Security Checks
high
801003Safari < 4.0.4 Multiple VulnerabilitiesLog Correlation EngineWeb Clients
high
5232Safari < 4.0.4 Multiple VulnerabilitiesNessus Network MonitorWeb Clients
medium
800795Mac OS X 10.6 < 10.6.2 Multiple VulnerabilitiesLog Correlation EngineOperating System Detection
high
5227Mac OS X 10.6 < 10.6.2 Multiple VulnerabilitiesNessus Network MonitorGeneric
critical
42434Mac OS X 10.6.x < 10.6.2 Multiple VulnerabilitiesNessusMacOS X Local Security Checks
critical
42433Mac OS X Multiple Vulnerabilities (Security Update 2009-006)NessusMacOS X Local Security Checks
critical
42021openSUSE 10 Security Update : libxml2 (libxml2-6405)NessusSuSE Local Security Checks
medium
42020openSUSE 10 Security Update : libxml (libxml-6477)NessusSuSE Local Security Checks
medium
41325SuSE9 Security Update : libxml.rpm (YOU Patch Number 12504)NessusSuSE Local Security Checks
medium
41004openSUSE Security Update : libxml (libxml-1278)NessusSuSE Local Security Checks
medium
41002openSUSE Security Update : libxml (libxml-1278)NessusSuSE Local Security Checks
medium
40778Google Chrome < 2.0.172.43 Multiple VulnerabilitiesNessusWindows
high
40604Fedora 10 : libxml-1.8.17-24.fc10 (2009-8594)NessusFedora Local Security Checks
critical
40603Fedora 11 : libxml-1.8.17-24.fc11 (2009-8582)NessusFedora Local Security Checks
critical
40602Fedora 11 : mingw32-libxml2-2.7.3-2.fc11 (2009-8580)NessusFedora Local Security Checks
medium
40584Mandriva Linux Security Advisory : libxml (MDVSA-2009:200-1)NessusMandriva Local Security Checks
medium
40576Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : libxml2 vulnerabilities (USN-815-1)NessusUbuntu Local Security Checks
critical
40575openSUSE Security Update : libxml2 (libxml2-1175)NessusSuSE Local Security Checks
medium
40573openSUSE Security Update : libxml2 (libxml2-1175)NessusSuSE Local Security Checks
medium
40570Fedora 11 : libxml2-2.7.3-3.fc11 (2009-8498)NessusFedora Local Security Checks
medium
40569Fedora 10 : libxml2-2.7.3-2.fc10 (2009-8491)NessusFedora Local Security Checks
medium
40544RHEL 3 / 4 / 5 : libxml and libxml2 (RHSA-2009:1206)NessusRed Hat Local Security Checks
medium
40533CentOS 3 / 5 : libxml / libxml2 (CESA-2009:1206)NessusCentOS Local Security Checks
medium