CVE-2013-0340

medium

Description

expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.

References

http://openwall.com/lists/oss-security/2013/02/22/3

http://www.openwall.com/lists/oss-security/2013/04/12/6

http://www.osvdb.org/90634

http://securitytracker.com/id?1028213

http://www.securityfocus.com/bid/58233

https://security.gentoo.org/glsa/201701-21

https://support.apple.com/kb/HT212814

https://support.apple.com/kb/HT212815

https://support.apple.com/kb/HT212819

https://support.apple.com/kb/HT212807

https://support.apple.com/kb/HT212804

https://support.apple.com/kb/HT212805

http://seclists.org/fulldisclosure/2021/Sep/39

http://seclists.org/fulldisclosure/2021/Sep/38

http://seclists.org/fulldisclosure/2021/Sep/35

http://seclists.org/fulldisclosure/2021/Sep/34

http://seclists.org/fulldisclosure/2021/Sep/33

http://seclists.org/fulldisclosure/2021/Sep/40

https://lists.apache.org/thread.html/[email protected]%3Cannounce.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cusers.openoffice.apache.org%3E

http://www.openwall.com/lists/oss-security/2021/10/07/4

http://seclists.org/fulldisclosure/2021/Oct/61

http://seclists.org/fulldisclosure/2021/Oct/63

http://seclists.org/fulldisclosure/2021/Oct/62

Details

Source: MITRE

Published: 2014-01-21

Updated: 2021-10-27

Type: CWE-611

Risk Information

CVSS v2

Base Score: 6.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 8.6

Severity: MEDIUM