CVE-2003-1564
published 2003-12-31CVE-2003-1564: libxml2, possibly before 2.5.0, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of…
PriorityP416medium6.5CVSS 3.1
AVNACLPRNUIRSUCNINAH
EPSS
1.62%
73.1th percentile
libxml2, possibly before 2.5.0, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, aka the "billion laughs attack."
Affected
414 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | apr-util | < 1.3.7 | 1.3.7 |
| apache | apr-util | >= 0 < 1.3.7+dfsg-1 | 1.3.7+dfsg-1 |
| apache | apr-util | >= 0 < 1.3.7+dfsg-1 | 1.3.7+dfsg-1 |
| apache | apr-util | >= 0 < 1.3.7+dfsg-1 | 1.3.7+dfsg-1 |
| apache | apr-util | >= 0 < 1.3.7+dfsg-1 | 1.3.7+dfsg-1 |
| apache | http_server | >= 2.2.0 < 2.2.12 | 2.2.12 |
| apple | mac_os_x | < 10.6.2 | 10.6.2 |
| apple | mac_os_x | < 10.6.8 | 10.6.8 |
| apple | mac_os_x | >= 10.7.0 < 10.7.2 | 10.7.2 |
| apple | mac_os_x_server | < 10.6.8 | 10.6.8 |
| apple | mac_os_x_server | >= 10.7.0 < 10.7.2 | 10.7.2 |
| brad_fitzpatrick | djabberd | <= 0.84 | — |
| brad_fitzpatrick | djabberd | — | — |
| brad_fitzpatrick | djabberd | — | — |
| brad_fitzpatrick | djabberd | — | — |
| brad_fitzpatrick | djabberd | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| cisco | jabber_extensible_communications_platform | <= 5.8 | — |
| cisco | jabber_extensible_communications_platform | <= 5.4 | — |
| cisco | jabber_extensible_communications_platform | — | — |
| cisco | jabber_extensible_communications_platform | — | — |
| cisco | jabber_extensible_communications_platform | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
ghsa6.5MEDIUM
osv6.5MEDIUM
vendor_msrc7.5HIGH
vendor_debian6.5LOW
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h29v-8cc2-w88r: Qt through 5
ghsa_unreviewed·2022-05-24·CVSS 6.5
CVE-2015-9541 [MEDIUM] CWE-776 GHSA-h29v-8cc2-w88r: Qt through 5
Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.
GHSA
GHSA-p9hm-fgj4-cw8w: Infoblox NIOS before 8
ghsa_unreviewed·2022-05-24·CVSS 6.5
CVE-2020-15303 [MEDIUM] CWE-776 GHSA-p9hm-fgj4-cw8w: Infoblox NIOS before 8
Infoblox NIOS before 8.5.2 allows entity expansion during an XML upload operation, a related issue to CVE-2003-1564.
GHSA
GHSA-j25g-v5c4-pqj9: IBM WebSphere Portal 6
ghsa_unreviewed·2022-05-17·CVSS 6.5
CVE-2014-4814 [MEDIUM] GHSA-j25g-v5c4-pqj9: IBM WebSphere Portal 6
IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 CF27, 7.0 through 7.0.0.2 CF28, 8.0 through 8.0.0.1 CF14, and 8.5.0 before CF03 does not properly detect recursion during entity expansion, which allows remote authenticated users to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
GHSA
GHSA-92pm-rc7q-ch3w: Prosody before 0
ghsa_unreviewed·2022-05-17·CVSS 6.5
CVE-2011-2205 [MEDIUM] GHSA-92pm-rc7q-ch3w: Prosody before 0
Prosody before 0.8.1 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
GHSA
GHSA-m277-38hj-98fr: Cisco Jabber Extensible Communications Platform (aka Jabber XCP) 2
ghsa_unreviewed·2022-05-17·CVSS 6.5
CVE-2011-3287 [MEDIUM] GHSA-m277-38hj-98fr: Cisco Jabber Extensible Communications Platform (aka Jabber XCP) 2
Cisco Jabber Extensible Communications Platform (aka Jabber XCP) 2.x through 5.4.x before 5.4.0.27581 and 5.8.x before 5.8.1.27561 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption, and process crash) via a crafted XML document containing a large number of nested entity references, aka Bug ID CSCtq78106, a similar issue to CVE-2003-1564.
GHSA
GHSA-94p2-4f88-99g7: The Incutio XML-RPC (IXR) Library, as used in WordPress before 3
ghsa_unreviewed·2022-05-17·CVSS 6.5
CVE-2014-5265 [MEDIUM] GHSA-94p2-4f88-99g7: The Incutio XML-RPC (IXR) Library, as used in WordPress before 3
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
GHSA
GHSA-66wf-g54m-27m7: Cisco Unified Presence before 8
ghsa_unreviewed·2022-05-17·CVSS 6.5
CVE-2011-3288 [MEDIUM] CWE-776 GHSA-66wf-g54m-27m7: Cisco Unified Presence before 8
Cisco Unified Presence before 8.5(4) does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption, and process crash) via a crafted XML document containing a large number of nested entity references, aka Bug IDs CSCtq89842 and CSCtq88547, a similar issue to CVE-2003-1564.
GHSA
GHSA-3rc4-q7c3-jfpm: The XML parser in IBM Rational DOORS Next Generation 4
ghsa_unreviewed·2022-05-17·CVSS 6.5
CVE-2015-0132 [MEDIUM] GHSA-3rc4-q7c3-jfpm: The XML parser in IBM Rational DOORS Next Generation 4
The XML parser in IBM Rational DOORS Next Generation 4.x before 4.0.7 iFix3 and 5.x before 5.0.2 and Rational Requirements Composer 2.x and 3.x before 3.0.1.6 iFix5 and 4.x before 4.0.7 iFix3 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
GHSA
GHSA-p7w4-2fhg-mqv6: jabberd14 1
ghsa_unreviewed·2022-05-17·CVSS 6.5
CVE-2011-1754 [MEDIUM] GHSA-p7w4-2fhg-mqv6: jabberd14 1
jabberd14 1.6.1.1 and earlier does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
GHSA
GHSA-827g-rqf3-jrp6: LuaExpat before 1
ghsa_unreviewed·2022-05-17·CVSS 6.5
CVE-2011-2188 [MEDIUM] GHSA-827g-rqf3-jrp6: LuaExpat before 1
LuaExpat before 1.2.0 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
GHSA
GHSA-rpcf-xw9j-7c7j: jabberd2 before 2
ghsa_unreviewed·2022-05-17·CVSS 6.5
CVE-2011-1755 [MEDIUM] CWE-776 GHSA-rpcf-xw9j-7c7j: jabberd2 before 2
jabberd2 before 2.2.14 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
GHSA
GHSA-mw4p-pmw3-438r: Zenoss Core through 5 Beta 3 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (m
ghsa_unreviewed·2022-05-17·CVSS 6.5
CVE-2014-6259 [MEDIUM] GHSA-mw4p-pmw3-438r: Zenoss Core through 5 Beta 3 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (m
Zenoss Core through 5 Beta 3 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, aka ZEN-15414, a similar issue to CVE-2003-1564.
GHSA
GHSA-6px8-r2g4-9v5v: modules/xmpp/serv_xmpp
ghsa_unreviewed·2022-05-17·CVSS 6.5
CVE-2011-1756 [MEDIUM] GHSA-6px8-r2g4-9v5v: modules/xmpp/serv_xmpp
modules/xmpp/serv_xmpp.c in Citadel 7.86 and earlier does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
GHSA
GHSA-xfr3-2vw7-gq74: The Monitoring Administration pages in PNMsoft Sequence Kinetics before 7
ghsa_unreviewed·2022-05-17·CVSS 6.5
CVE-2014-6303 [MEDIUM] GHSA-xfr3-2vw7-gq74: The Monitoring Administration pages in PNMsoft Sequence Kinetics before 7
The Monitoring Administration pages in PNMsoft Sequence Kinetics before 7.7 do not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
GHSA
GHSA-35cw-298h-r635: expat_erl
ghsa_unreviewed·2022-05-17·CVSS 6.5
CVE-2011-1753 [MEDIUM] GHSA-35cw-298h-r635: expat_erl
expat_erl.c in ejabberd before 2.1.7 and 3.x before 3.0.0-alpha-3, and exmpp before 0.9.7, does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
GHSA
GHSA-r4cr-22jj-489p: IBM Connections 3
ghsa_unreviewed·2022-05-17·CVSS 6.5
CVE-2015-5038 [MEDIUM] GHSA-r4cr-22jj-489p: IBM Connections 3
IBM Connections 3.x before 3.0.1.1 CR3, 4.0 before CR4, 4.5 before CR5, and 5.0 before CR3 does not properly detect recursion during XML entity expansion, which allows remote attackers to cause a denial of service (CPU consumption and application crash) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
GHSA
GHSA-w3qg-grm5-jw49: IBM Rational ClearQuest 7
ghsa_unreviewed·2022-05-17·CVSS 6.5
CVE-2014-3104 [MEDIUM] GHSA-w3qg-grm5-jw49: IBM Rational ClearQuest 7
IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
GHSA
GHSA-g6x3-992w-85wr: IBM Rational ClearCase 7
ghsa_unreviewed·2022-05-17·CVSS 6.5
CVE-2014-3090 [MEDIUM] GHSA-g6x3-992w-85wr: IBM Rational ClearCase 7
IBM Rational ClearCase 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
GHSA
GHSA-4p35-7jx5-47jq: DJabberd 0
ghsa_unreviewed·2022-05-17·CVSS 6.5
CVE-2011-1757 [MEDIUM] GHSA-4p35-7jx5-47jq: DJabberd 0
DJabberd 0.84 and earlier does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
GHSA
GHSA-573j-gc9j-4fph: The Microsoft
ghsa_unreviewed·2022-05-14·CVSS 6.5
CVE-2013-7332 [MEDIUM] GHSA-573j-gc9j-4fph: The Microsoft
The Microsoft.XMLDOM ActiveX control in Microsoft Windows 8.1 and earlier does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
GHSA
GHSA-55ph-9w63-r34w: PDF-XChange Editor through 7
ghsa_unreviewed·2022-05-14·CVSS 6.5
CVE-2018-16303 [MEDIUM] CWE-611 GHSA-55ph-9w63-r34w: PDF-XChange Editor through 7
PDF-XChange Editor through 7.0.326.1 allows remote attackers to cause a denial of service (resource consumption) via a crafted x:xmpmeta structure, a related issue to CVE-2003-1564.
GHSA
GHSA-9c28-2wjp-xr55: The XML parser in Microsoft Office 2007 SP3, 2010 SP1 and SP2, and 2013, and Office for Mac 2011, does not properly detect recursion during entity exp
ghsa_unreviewed·2022-05-14·CVSS 6.5
CVE-2014-2730 [MEDIUM] GHSA-9c28-2wjp-xr55: The XML parser in Microsoft Office 2007 SP3, 2010 SP1 and SP2, and 2013, and Office for Mac 2011, does not properly detect recursion during entity exp
The XML parser in Microsoft Office 2007 SP3, 2010 SP1 and SP2, and 2013, and Office for Mac 2011, does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory consumption and persistent application hang) via a crafted XML document containing a large number of nested entity references, as demonstrated by a crafted text/plain e-mail message to Outlook, a similar issue to CVE-2003-1564.
GHSA
GHSA-mrch-jfhc-g63x: IBM WebSphere Commerce 6
ghsa_unreviewed·2022-05-13·CVSS 6.5
CVE-2014-4834 [MEDIUM] GHSA-mrch-jfhc-g63x: IBM WebSphere Commerce 6
IBM WebSphere Commerce 6.x through 6.0.0.11 and 7.x through 7.0.0.8 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption, and application crash) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
OSV
JBossWS vulnerable to uncontrolled recursion
osv·2022-05-13·CVSS 6.5
CVE-2011-1483 [MEDIUM] JBossWS vulnerable to uncontrolled recursion
JBossWS vulnerable to uncontrolled recursion
DOMUtils.java in org.jboss.ws:jbossws-common does not properly handle recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted request containing an XML document with a DOCTYPE declaration and a large number of nested entity references, a similar issue to CVE-2003-1564.
GHSA
JBossWS vulnerable to uncontrolled recursion
ghsa·2022-05-13·CVSS 6.5
CVE-2011-1483 [MEDIUM] CWE-400 JBossWS vulnerable to uncontrolled recursion
JBossWS vulnerable to uncontrolled recursion
DOMUtils.java in org.jboss.ws:jbossws-common does not properly handle recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted request containing an XML document with a DOCTYPE declaration and a large number of nested entity references, a similar issue to CVE-2003-1564.
GHSA
GHSA-9vc6-7j3x-7x4v: neon before 0
ghsa_unreviewed·2022-05-02·CVSS 6.5
CVE-2009-2473 [MEDIUM] GHSA-9vc6-7j3x-7x4v: neon before 0
neon before 0.28.6, when expat is used, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
GHSA
GHSA-hfr6-pxvf-frf7: The expat XML parser in the apr_xml_* interface in xml/apr_xml
ghsa_unreviewed·2022-05-02·CVSS 6.5
CVE-2009-1955 [MEDIUM] CWE-776 GHSA-hfr6-pxvf-frf7: The expat XML parser in the apr_xml_* interface in xml/apr_xml
The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564.
GHSA
GHSA-34h5-p5c9-pjw6: libxml2 2
ghsa_unreviewed·2022-05-02·CVSS 6.5
CVE-2008-4409 [MEDIUM] GHSA-34h5-p5c9-pjw6: libxml2 2
libxml2 2.7.0 and 2.7.1 does not properly handle "predefined entities definitions" in entities, which allows context-dependent attackers to cause a denial of service (memory consumption and application crash), as demonstrated by use of xmllint on a certain XML document, a different vulnerability than CVE-2003-1564 and CVE-2008-3281.
GHSA
GHSA-6wfm-7hqx-39wg: libxml2, possibly before 2
ghsa_unreviewed·2022-04-29
CVE-2003-1564 [HIGH] CWE-776 GHSA-6wfm-7hqx-39wg: libxml2, possibly before 2
libxml2, possibly before 2.5.0, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, aka the "billion laughs attack."
OSV
SnakeYAML Entity Expansion during load operation
osv·2021-06-04·CVSS 6.5
CVE-2017-18640 [MEDIUM] SnakeYAML Entity Expansion during load operation
SnakeYAML Entity Expansion during load operation
The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
GHSA
SnakeYAML Entity Expansion during load operation
ghsa·2021-06-04·CVSS 6.5
CVE-2017-18640 [MEDIUM] CWE-776 SnakeYAML Entity Expansion during load operation
SnakeYAML Entity Expansion during load operation
The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
OSV
CVE-2015-9541: Qt through 5
osv·2020-01-24·CVSS 6.5
CVE-2015-9541 [MEDIUM] CVE-2015-9541: Qt through 5
Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.
OSV
CVE-2017-18640: The Alias feature in SnakeYAML before 1
osv·2019-12-12·CVSS 6.5
CVE-2017-18640 [MEDIUM] CVE-2017-18640: The Alias feature in SnakeYAML before 1
The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
OSV
CVE-2014-5265: The Incutio XML-RPC (IXR) Library, as used in WordPress before 3
osv·2014-08-18·CVSS 6.5
CVE-2014-5265 [MEDIUM] CVE-2014-5265: The Incutio XML-RPC (IXR) Library, as used in WordPress before 3
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
OSV
CVE-2011-2205: Prosody before 0
osv·2011-06-22·CVSS 6.5
CVE-2011-2205 [MEDIUM] CVE-2011-2205: Prosody before 0
Prosody before 0.8.1 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
OSV
CVE-2011-2188: LuaExpat before 1
osv·2011-06-21·CVSS 6.5
CVE-2011-2188 [MEDIUM] CVE-2011-2188: LuaExpat before 1
LuaExpat before 1.2.0 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
OSV
CVE-2011-1755: jabberd2 before 2
osv·2011-06-21·CVSS 6.5
CVE-2011-1755 [MEDIUM] CVE-2011-1755: jabberd2 before 2
jabberd2 before 2.2.14 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
OSV
CVE-2011-1753: expat_erl
osv·2011-06-21·CVSS 6.5
CVE-2011-1753 [MEDIUM] CVE-2011-1753: expat_erl
expat_erl.c in ejabberd before 2.1.7 and 3.x before 3.0.0-alpha-3, and exmpp before 0.9.7, does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
OSV
CVE-2011-1756: modules/xmpp/serv_xmpp
osv·2011-06-21·CVSS 6.5
CVE-2011-1756 [MEDIUM] CVE-2011-1756: modules/xmpp/serv_xmpp
modules/xmpp/serv_xmpp.c in Citadel 7.86 and earlier does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
OSV
CVE-2009-1955: The expat XML parser in the apr_xml_* interface in xml/apr_xml
osv·2009-06-08·CVSS 6.5
CVE-2009-1955 [MEDIUM] CVE-2009-1955: The expat XML parser in the apr_xml_* interface in xml/apr_xml
The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564.
Microsoft
Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader a related issue to CVE-2003-1564.
vendor_msrc·2020-01-14·CVSS 7.5
CVE-2015-9541 [MEDIUM] CWE-776 Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader a related issue to CVE-2003-1564.
Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader a related issue to CVE-2003-1564.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mar
Red Hat
snakeyaml: Billion laughs attack via alias feature
vendor_redhat·2019-12-12·CVSS 6.5
CVE-2017-18640 [MEDIUM] CWE-776 snakeyaml: Billion laughs attack via alias feature
snakeyaml: Billion laughs attack via alias feature
The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
Package: prometheus-jmx-exporter (Red Hat A-MQ Online) - Not affected
Package: snakeyaml (Red Hat Enterprise Linux 7) - Will not fix
Package: snakeyaml (Red Hat Single Sign-On 7) - Not affected
Package: rh-java-common-snakeyaml (Red Hat Software Collections) - Out of support scope
Package: rh-maven35-snakeyaml (Red Hat Software Collections) - Will not fix
Microsoft
The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
vendor_msrc·2019-12-10·CVSS 7.5
CVE-2017-18640 [MEDIUM] CWE-776 The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
mitre: mitre
Customer Action Requ
Debian
CVE-2017-18640: snakeyaml - The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load...
vendor_debian·2017·CVSS 6.5
CVE-2017-18640 [MEDIUM] CVE-2017-18640: snakeyaml - The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load...
The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
Scope: local
bookworm: resolved (fixed in 1.25+ds-3)
bullseye: resolved (fixed in 1.25+ds-3)
forky: resolved (fixed in 1.25+ds-3)
sid: resolved (fixed in 1.25+ds-3)
trixie: resolved (fixed in 1.25+ds-3)
Red Hat
qt: XML entity expansion vulnerability
vendor_redhat·2015-07-24·CVSS 6.5
CVE-2015-9541 [MEDIUM] CWE-776 qt: XML entity expansion vulnerability
qt: XML entity expansion vulnerability
Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.
An XML Entity Expansion flaw was found in the QT library. Applications that use QT to load untrusted images, for example, SVG images, or untrusted XML documents, may be vulnerable to this flaw. This flaw allows an attacker to cause a denial of service.
Package: qt (Red Hat Enterprise Linux 5) - Out of support scope
Package: qt4 (Red Hat Enterprise Linux 5) - Out of support scope
Package: qt (Red Hat Enterprise Linux 6) - Out of support scope
Package: qt3 (Red Hat Enterprise Linux 6) - Out of support scope
Package: qt (Red Hat Enterprise Linux 7) - Will not fix
Package: qt3 (Red H
Debian
CVE-2015-9541: qtbase-opensource-src - Qt through 5.14 allows an exponential XML entity expansion attack via a crafted ...
vendor_debian·2015·CVSS 6.5
CVE-2015-9541 [MEDIUM] CVE-2015-9541: qtbase-opensource-src - Qt through 5.14 allows an exponential XML entity expansion attack via a crafted ...
Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.
Scope: local
bookworm: resolved (fixed in 5.12.5+dfsg-9)
bullseye: resolved (fixed in 5.12.5+dfsg-9)
forky: resolved (fixed in 5.12.5+dfsg-9)
sid: resolved (fixed in 5.12.5+dfsg-9)
trixie: resolved (fixed in 5.12.5+dfsg-9)
Debian
CVE-2014-5265: wordpress - The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal ...
vendor_debian·2014·CVSS 6.5
CVE-2014-5265 [MEDIUM] CVE-2014-5265: wordpress - The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal ...
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
Scope: local
bookworm: resolved (fixed in 3.9.2+dfsg-1)
bullseye: resolved (fixed in 3.9.2+dfsg-1)
forky: resolved (fixed in 3.9.2+dfsg-1)
sid: resolved (fixed in 3.9.2+dfsg-1)
trixie: resolved (fixed in 3.9.2+dfsg-1)
Red Hat
JBossWS remote Denial of Service
vendor_redhat·2011-09-15·CVSS 6.5
CVE-2011-1483 [MEDIUM] JBossWS remote Denial of Service
JBossWS remote Denial of Service
wsf/common/DOMUtils.java in JBossWS Native in Red Hat JBoss Enterprise Application Platform 4.2.0.CP09, 4.3, and 5.1.1; JBoss Enterprise Portal Platform 4.3.CP06 and 5.1.1; JBoss Enterprise SOA Platform 4.2.CP05, 4.3.CP05, and 5.1.0; JBoss Communications Platform 1.2.11 and 5.1.1; JBoss Enterprise BRMS Platform 5.1.0; and JBoss Enterprise Web Platform 5.1.1 does not properly handle recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted request containing an XML document with a DOCTYPE declaration and a large number of nested entity references, a similar issue to CVE-2003-1564.
Package: Security (Red Hat JBoss BRMS 5) - Affected
Red Hat
jabberd: DoS via the XML "billion laughs attack"
vendor_redhat·2011-05-31·CVSS 6.5
CVE-2011-1755 [MEDIUM] jabberd: DoS via the XML "billion laughs attack"
jabberd: DoS via the XML "billion laughs attack"
jabberd2 before 2.2.14 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
Statement: Vulnerable. This issue has been addressed in Red Hat Network Satellite Server v 5.4.1 via RHSA-2011:0882 https://rhn.redhat.com/errata/RHSA-2011-0882.html and in Red Hat Network Proxy Server v5.4.1 via RHSA-2011:0881 https://rhn.redhat.com/errata/RHSA-2011-0881.html. This issue is not planned
to be fixed in Red Hat Network Satellite Server versions 5.0.2, 5.1.1, 5.2.1, 5.3.0 and not planned to be fixed in Red Hat Network Proxy Server versions 5.0.
Debian
CVE-2011-2188: lua-expat - LuaExpat before 1.2.0 does not properly detect recursion during entity expansion...
vendor_debian·2011·CVSS 6.5
CVE-2011-2188 [MEDIUM] CVE-2011-2188: lua-expat - LuaExpat before 1.2.0 does not properly detect recursion during entity expansion...
LuaExpat before 1.2.0 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
Scope: local
bookworm: resolved (fixed in 1.2.0-1)
bullseye: resolved (fixed in 1.2.0-1)
forky: resolved (fixed in 1.2.0-1)
sid: resolved (fixed in 1.2.0-1)
trixie: resolved (fixed in 1.2.0-1)
Debian
CVE-2011-1753: ejabberd - expat_erl.c in ejabberd before 2.1.7 and 3.x before 3.0.0-alpha-3, and exmpp bef...
vendor_debian·2011·CVSS 6.5
CVE-2011-1753 [MEDIUM] CVE-2011-1753: ejabberd - expat_erl.c in ejabberd before 2.1.7 and 3.x before 3.0.0-alpha-3, and exmpp bef...
expat_erl.c in ejabberd before 2.1.7 and 3.x before 3.0.0-alpha-3, and exmpp before 0.9.7, does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
Scope: local
bookworm: resolved (fixed in 2.1.6-2.1)
bullseye: resolved (fixed in 2.1.6-2.1)
forky: resolved (fixed in 2.1.6-2.1)
sid: resolved (fixed in 2.1.6-2.1)
trixie: resolved (fixed in 2.1.6-2.1)
Debian
CVE-2011-1755: jabberd2 - jabberd2 before 2.2.14 does not properly detect recursion during entity expansio...
vendor_debian·2011·CVSS 6.5
CVE-2011-1755 [MEDIUM] CVE-2011-1755: jabberd2 - jabberd2 before 2.2.14 does not properly detect recursion during entity expansio...
jabberd2 before 2.2.14 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
Scope: local
bookworm: resolved (fixed in 2.2.8-2.1)
bullseye: resolved (fixed in 2.2.8-2.1)
forky: resolved (fixed in 2.2.8-2.1)
sid: resolved (fixed in 2.2.8-2.1)
trixie: resolved (fixed in 2.2.8-2.1)
Debian
CVE-2011-2205: prosody - Prosody before 0.8.1 does not properly detect recursion during entity expansion,...
vendor_debian·2011·CVSS 6.5
CVE-2011-2205 [MEDIUM] CVE-2011-2205: prosody - Prosody before 0.8.1 does not properly detect recursion during entity expansion,...
Prosody before 0.8.1 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
Scope: local
bookworm: resolved (fixed in 0.7.0-1)
bullseye: resolved (fixed in 0.7.0-1)
forky: resolved (fixed in 0.7.0-1)
sid: resolved (fixed in 0.7.0-1)
trixie: resolved (fixed in 0.7.0-1)
Red Hat
neon: billion laughs DoS attack
vendor_redhat·2009-08-18·CVSS 6.5
CVE-2009-2473 [MEDIUM] neon: billion laughs DoS attack
neon: billion laughs DoS attack
neon before 0.28.6, when expat is used, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
Package: gnome-vfs2 (Red Hat Enterprise Linux 4) - Will not fix
Red Hat
apr-util billion laughs attack
vendor_redhat·2009-06-01·CVSS 6.5
CVE-2009-1955 [MEDIUM] apr-util billion laughs attack
apr-util billion laughs attack
The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564.
Debian
CVE-2009-1955: apr-util - The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-u...
vendor_debian·2009·CVSS 6.5
CVE-2009-1955 [MEDIUM] CVE-2009-1955: apr-util - The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-u...
The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564.
Scope: local
bookworm: resolved (fixed in 1.3.7+dfsg-1)
bullseye: resolved (fixed in 1.3.7+dfsg-1)
forky: resolved (fixed in 1.3.7+dfsg-1)
sid: resolved (fixed in 1.3.7+dfsg-1)
trixie: resolved (fixed in 1.3.7+dfsg-1)
Debian
CVE-2009-2473: neon27 - neon before 0.28.6, when expat is used, does not properly detect recursion durin...
vendor_debian·2009·CVSS 6.5
CVE-2009-2473 [MEDIUM] CVE-2009-2473: neon27 - neon before 0.28.6, when expat is used, does not properly detect recursion durin...
neon before 0.28.6, when expat is used, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
Red Hat
libxml2: infinite loop when entity is used in entity definition
vendor_redhat·2008-10-02·CVSS 6.5
CVE-2008-4409 [MEDIUM] CWE-835 libxml2: infinite loop when entity is used in entity definition
libxml2: infinite loop when entity is used in entity definition
libxml2 2.7.0 and 2.7.1 does not properly handle "predefined entities definitions" in entities, which allows context-dependent attackers to cause a denial of service (memory consumption and application crash), as demonstrated by use of xmllint on a certain XML document, a different vulnerability than CVE-2003-1564 and CVE-2008-3281.
Statement: Not vulnerable. This issue did not affect the versions of libxml2 as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.
Debian
CVE-2008-4409: libxml2 - libxml2 2.7.0 and 2.7.1 does not properly handle "predefined entities definition...
vendor_debian·2008·CVSS 6.5
CVE-2008-4409 [MEDIUM] CVE-2008-4409: libxml2 - libxml2 2.7.0 and 2.7.1 does not properly handle "predefined entities definition...
libxml2 2.7.0 and 2.7.1 does not properly handle "predefined entities definitions" in entities, which allows context-dependent attackers to cause a denial of service (memory consumption and application crash), as demonstrated by use of xmllint on a certain XML document, a different vulnerability than CVE-2003-1564 and CVE-2008-3281.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
Red Hat
libxml2: billion laughs DoS attack
vendor_redhat·2003-02-02·CVSS 6.5
CVE-2003-1564 [MEDIUM] libxml2: billion laughs DoS attack
libxml2: billion laughs DoS attack
libxml2, possibly before 2.5.0, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, aka the "billion laughs attack."
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2021-3541 libxml2: Exponential entity expansion attack bypasses all existing protection mechanisms
bugzilla·2021-04-16·CVSS 6.5
CVE-2021-3541 [MEDIUM] CVE-2021-3541 libxml2: Exponential entity expansion attack bypasses all existing protection mechanisms
CVE-2021-3541 libxml2: Exponential entity expansion attack bypasses all existing protection mechanisms
A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.
Discussion:
Acknowledgments:
Name: Sebastian Pipping
---
This flaw is essentially a variant of the billion laughs attack which can DoS libxml2 even with the set of safe flags.
The original billion laughs attack was fixed in libxml2 via https://access.redhat.com/security/cve/CVE-2003-1564
Expat packages shipped in Red Hat products and the upstream project are still vulnerable to billion laughs attack.
---
Created libxml2 tracking bugs for this issue:
Affects: fedora-all [bug 1960153]
Created mingw-libxml2 tracking bugs for
Bugzilla
CVE-2015-9541 qt: XML entity expansion vulnerability
bugzilla·2020-02-10·CVSS 6.5
CVE-2015-9541 [MEDIUM] CVE-2015-9541 qt: XML entity expansion vulnerability
CVE-2015-9541 qt: XML entity expansion vulnerability
Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.
References:
https://bugreports.qt.io/browse/QTBUG-47417
Discussion:
Created qt5 tracking bugs for this issue:
Affects: fedora-all [bug 1801370]
---
Upstream fix:
https://code.qt.io/cgit/qt/qtbase.git/commit/?id=f432c08882ffebe5074ea28de871559a98a4d094
---
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2015-9541
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2020:4690 https://access.redhat.com/errata/RHSA-2020:4690
Bugzilla
CVE-2017-18640 snakeyaml: Billion laughs attack via alias feature
bugzilla·2019-12-19·CVSS 6.5
CVE-2017-18640 [MEDIUM] CVE-2017-18640 snakeyaml: Billion laughs attack via alias feature
CVE-2017-18640 snakeyaml: Billion laughs attack via alias feature
The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
Reference:
https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-preventing-billion
Discussion:
Created snakeyaml tracking bugs for this issue:
Affects: fedora-all [bug 1785377]
---
What needs to be done here? Is there a specific patch that needs to be applied?
Upstream's position [0] seems to be that you need to be careful about what inputs you give to snakeyaml. From a snakeyaml packager POV, there's not much we can do if snakeyaml upstream won't fix it and we don't control how packages use snakeyaml downstream or upstream. Would rebasing F30 to 1.25 (like F31 and Rawhide are cu
Bugzilla
CVE-2013-0338 libxml2: CPU consumption DoS when performing string substitutions during entities expansion
bugzilla·2013-02-18·CVSS 6.5
CVE-2013-0338 [MEDIUM] CVE-2013-0338 libxml2: CPU consumption DoS when performing string substitutions during entities expansion
CVE-2013-0338 libxml2: CPU consumption DoS when performing string substitutions during entities expansion
A denial of service flaw was found in the way libxml2, a library providing support to read, modify and write XML and HTML files, performed string substitutions when entity values for entity references replacement (--noent option) was requested / enabled during the XML file parsing. A remote attacker could provide a specially-crafted XML file that, when processed would lead to excessive CPU consumption (denial of service).
Discussion:
This issue affects the versions of the libxml2 package, as shipped with Red Hat Enterprise Linux 5 and 6.
--
This issue affects the versions of the libxml2 package, as shipped with Fedora release of 17 and 18.
--
This issue affects the versions of t
Bugzilla
CVE-2009-2473 neon: billion laughs DoS attack
bugzilla·2009-08-19·CVSS 6.5
CVE-2009-2473 [MEDIUM] CVE-2009-2473 neon: billion laughs DoS attack
CVE-2009-2473 neon: billion laughs DoS attack
Neon, before 0.28.6, does not properly detect recursion during
XML entity expansion, which allows context-dependent attackers to
cause a denial of service (memory and CPU consumption) via a crafted
XML document containing a large number of nested entity references,
aka the "billion laughs attack."
References:
http://lists.manyfish.co.uk/pipermail/neon/2009-August/001044.html
http://lists.manyfish.co.uk/pipermail/neon/2009-August/001045.html
Discussion:
Information about affected Neon versions from Joe Orton:
All versions of neon older than 0.28.6 are affected, where linked
against expat. This issue does not affect versions of neon which are
compiled to use libxml2 instead of expat, provided the libxml2 version
is 2.6.32 or greater.
---
C
Bugzilla
CVE-2009-1955 apr-util billion laughs attack
bugzilla·2009-06-08·CVSS 6.5
CVE-2009-1955 [MEDIUM] CVE-2009-1955 apr-util billion laughs attack
CVE-2009-1955 apr-util billion laughs attack
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1955 to the following vulnerability:
The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in
Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn
modules in the Apache HTTP Server, allows remote attackers to cause a
denial of service (memory consumption) via a crafted XML document
containing a large number of nested entity references, as demonstrated
by a PROPFIND request, a similar issue to CVE-2003-1564.
Discussion:
*** Bug 503814 has been marked as a duplicate of this bug. ***
---
Public exploit posted to milw0rm:
http://www.milw0rm.com/exploits/8842
Upstream patch:
http://svn.apache.org/viewvc?view=rev&revision=781403
http://marc.info/?l=a
Bugzilla
CVE-2008-4409 libxml2: infinite loop when entity is used in entity definition
bugzilla·2008-10-06·CVSS 6.5
CVE-2008-4409 [MEDIUM] CVE-2008-4409 libxml2: infinite loop when entity is used in entity definition
CVE-2008-4409 libxml2: infinite loop when entity is used in entity definition
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4409 to the following vulnerability:
libxml2 2.7.0 and 2.7.1 does not properly handle "predefined entities
definitions" in entities, which allows context-dependent attackers to cause a
denial of service (memory consumption and application crash), as demonstrated
by use of xmllint on a certain XML document, a different vulnerability than
CVE-2003-1564 and CVE-2008-3281.
Upstream bugreport:
http://bugzilla.gnome.org/show_bug.cgi?id=554660
Fixed upstream in 2.7.2:
http://mail.gnome.org/archives/xml/2008-October/msg00016.html
References:
http://openwall.com/lists/oss-security/2008/10/02/4
Discussion:
This issue only affected 2.7.x versions of
Bugzilla
CVE-2003-1564 libxml2: billion laughs DoS attack
bugzilla·2008-09-04·CVSS 6.5
CVE-2003-1564 [MEDIUM] CVE-2003-1564 libxml2: billion laughs DoS attack
CVE-2003-1564 libxml2: billion laughs DoS attack
Common Vulnerabilities and Exposures assigned an identifier CVE-2003-1564 to the following vulnerability:
libxml2, possibly before 2.5.0, does not properly detect recursion
during entity expansion, which allows context-dependent attackers to
cause a denial of service (memory and CPU consumption) via a crafted
XML document containing a large number of nested entity references,
aka the "billion laughs attack."
References:
http://www.stylusstudio.com/xmldev/200302/post20020.html
http://www.reddit.com/r/programming/comments/65843/time_to_upgrade_libxml2
http://xmlsoft.org/news.html
http://mail.gnome.org/archives/xml/2008-August/msg00034.html
Discussion:
Created attachment 315726
Public test case
Source: http://www.cogsci.ed.ac.uk/~richard/
CWE
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
mitre_cwe
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.
If the DTD contains a large number of nested or recursive entities, this can lead to explosive growth of data when parsed, causing a denial of service.
Modes of Introduction:
Phase: Implementation
Phase: Operation
Common Consequences:
Scope: Availability. Impact: DoS: Resource Consumption (Other). If parsed, recursive entity references allow the attacker to expand data exponentially, quickly consuming all system resources.
Detection Methods:
Automated Static Analysis: Automated static analysis, commonly
CWE
Asymmetric Resource Consumption (Amplification)
mitre_cwe
CWE-405 Asymmetric Resource Consumption (Amplification)
CWE-405: Asymmetric Resource Consumption (Amplification)
The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."
This can lead to poor performance due to "amplification" of resource consumption, typically in a non-linear fashion. This situation is worsened if the product allows malicious users or attackers to consume more resources than their access level permits.
Modes of Introduction:
Phase: Architecture and Design
Phase: Implementation
Phase: Operation
Common Consequences:
Scope: Availability. Impact: DoS: Amplification, DoS: Resource Consumption (CPU), DoS: Resource
CWE
Improper Handling of Highly Compressed Data (Data Amplification)
mitre_cwe·CVSS 6.5
[MEDIUM] CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)
CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)
The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
An example of data amplification is a "decompression bomb," a small ZIP file that can produce a large amount of data when it is decompressed.
Modes of Introduction:
Phase: Architecture and Design
Phase: Implementation
Common Consequences:
Scope: Availability. Impact: DoS: Amplification, DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory). System resources, CPU and memory, can be quickly consumed. This can lead to poor system performance or system crash.
Examples:
The DTD and the very brief XML below illustrate what is meant by an XML
http://mail.gnome.org/archives/xml/2008-August/msg00034.htmlhttp://secunia.com/advisories/31868http://www.reddit.com/r/programming/comments/65843/time_to_upgrade_libxml2http://www.redhat.com/support/errata/RHSA-2008-0886.htmlhttp://www.stylusstudio.com/xmldev/200302/post20020.htmlhttp://xmlsoft.org/news.htmlhttp://mail.gnome.org/archives/xml/2008-August/msg00034.htmlhttp://secunia.com/advisories/31868http://www.reddit.com/r/programming/comments/65843/time_to_upgrade_libxml2http://www.redhat.com/support/errata/RHSA-2008-0886.htmlhttp://www.stylusstudio.com/xmldev/200302/post20020.htmlhttp://xmlsoft.org/news.html
2003-12-31
Published