CVE-2013-0338

critical

Description

libxml2 2.9.0 and earlier allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, aka "internal entity expansion" with linear complexity.

References

https://git.gnome.org/browse/libxml2/commit/?id=23f05e0c33987d6605387b300c4be5da2120a7ab

https://bugzilla.redhat.com/show_bug.cgi?id=912400

http://www.ubuntu.com/usn/USN-1782-1

http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

http://www.mandriva.com/security/advisories?name=MDVSA-2013:056

http://www.debian.org/security/2013/dsa-2652

http://secunia.com/advisories/55568

http://secunia.com/advisories/52662

http://marc.info/?l=bugtraq&m=142798889927587&w=2

http://lists.opensuse.org/opensuse-updates/2013-03/msg00114.html

http://lists.opensuse.org/opensuse-updates/2013-03/msg00112.html

http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00002.html

Details

Source: Mitre, NVD

Published: 2013-04-25

Updated: 2025-04-11

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P

Severity: Medium

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.00238