Alpine: multiple libxml2 packages, multiple py3-libxml2 packages: security update to 2.9.1-r1 (deprecated)

high Tenable Self-Hosted Container Security Plugin ID 401186

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- The xmlParserHandlePEReference function in parser.c in libxml2 before 2.9.2, as used in Web Listener in
Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products,
loads external parameter entities regardless of whether entity substitution or validation is enabled,
which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML
document. (CVE-2014-0191)

See Also

https://git.alpinelinux.org/aports/commit/?id=13e59ed69b9459e1ef4534ee2f34e5f94fb99232

https://git.alpinelinux.org/aports/commit/?id=39a0663834fda2690f8b749de369700e7d995fdd

Plugin Details

Severity: High

ID: 401186

Version: Revision 1.24

Type: Local

Published: 8/16/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2014-0191

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/22/2014

Vulnerability Publication Date: 4/24/2014

Reference Information

CVE: CVE-2014-0191

BID: 67233