TinyXML through 2.6.2 has an infinite loop in TiXmlParsingData::Stamp in tinyxmlparser.cpp via the TIXML_UTF_LEAD_0 case. It can be triggered by a crafted XML message and leads to a denial of service.

The remote Fedora 40 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-763ac380b6 advisory.

    Automatic update for tinyxml-2.6.2-28.fc40.

    ##### **Changelog**

    ```
    * Wed Jan  3 2024 Dominik Mierzejewski <dominik@greysector.net> - 2.6.2-28
    - apply Debian patch to fix CVE-2021-42260 (rhbz#2253716, rhbz#2253718)
    - apply Debian patch to fix CVE-2023-34194 and its duplicate, CVE-2023-40462       (rhbz#2254376, rhbz#2254381)
    - fix incorrect text element encoding (upstream isssue #51)
    - compile and run tests

    ```

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-c9dc0ac419 advisory.

    Bugfix release. Includes security fixes for CVE-2021-42260 and CVE-2023-34194 and a fix for incorrect text     element encoding (upstream isssue #51).



Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-80e6578a01 advisory.

    Bugfix release. Includes security fixes for CVE-2021-42260 and CVE-2023-34194 and a fix for incorrect text     element encoding (upstream isssue #51).



Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 ESM / 18.04 ESM / 20.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-6542-1 advisory.

    Wang Zhong discovered that TinyXML incorrectly handled certain inputs. If a user or an automated system     were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue     to cause a

    denial of service.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by a vulnerability as referenced in the dla-3130 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-3130-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                    Thorsten Alteholz     October 01, 2022                              https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : tinyxml     Version        : 2.6.2-4+deb10u1     CVE ID         : CVE-2021-42260


    An issue has been found in tinyxml, a C++ XML parsing library.
    Crafted XML messages could lead to an infinite loop in     TiXmlParsingData::Stamp(), which results in a denial of service.


    For Debian 10 buster, this problem has been fixed in version     2.6.2-4+deb10u1.

    We recommend that you upgrade your tinyxml packages.

    For the detailed security status of tinyxml please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/tinyxml

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has packages installed that are affected by a vulnerability as referenced in the dla-2988 advisory.

  - TinyXML through 2.6.2 has an infinite loop in TiXmlParsingData::Stamp in tinyxmlparser.cpp via the     TIXML_UTF_LEAD_0 case. It can be triggered by a crafted XML message and leads to a denial of service.
    (CVE-2021-42260)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE-SU-2021:1474-1 advisory.

  - TinyXML through 2.6.2 has an infinite loop in TiXmlParsingData::Stamp in tinyxmlparser.cpp via the     TIXML_UTF_LEAD_0 case. It can be triggered by a crafted XML message and leads to a denial of service.
    (CVE-2021-42260)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE-SU-2021:3639-1 advisory.

  - TinyXML through 2.6.2 has an infinite loop in TiXmlParsingData::Stamp in tinyxmlparser.cpp via the     TIXML_UTF_LEAD_0 case. It can be triggered by a crafted XML message and leads to a denial of service.
    (CVE-2021-42260)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
194679	Fedora 40 : tinyxml (2024-763ac380b6)	Nessus	Fedora Local Security Checks	high
187965	Fedora 38 : tinyxml (2024-c9dc0ac419)	Nessus	Fedora Local Security Checks	high
187673	Fedora 39 : tinyxml (2024-80e6578a01)	Nessus	Fedora Local Security Checks	high
186682	Ubuntu 16.04 ESM / 18.04 ESM / 20.04 LTS : TinyXML vulnerability (USN-6542-1)	Nessus	Ubuntu Local Security Checks	high
165647	Debian dla-3130 : libtinyxml-dev - security update	Nessus	Debian Local Security Checks	high
160409	Debian DLA-2988-1 : tinyxml - LTS security update	Nessus	Debian Local Security Checks	high
155355	openSUSE 15 Security Update : tinyxml (openSUSE-SU-2021:1474-1)	Nessus	SuSE Local Security Checks	high
155010	openSUSE 15 Security Update : tinyxml (openSUSE-SU-2021:3639-1)	Nessus	SuSE Local Security Checks	high

Detections

Analytics

CVE-2021-42260

high

Tenable Plugins

high

high

high

high

high

high

high

high