CVE-2008-4409
published 2008-10-03CVE-2008-4409: libxml2 2.7.0 and 2.7.1 does not properly handle "predefined entities definitions" in entities, which allows context-dependent attackers to cause a denial of…
PriorityP425medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
8.53%
94.4th percentile
libxml2 2.7.0 and 2.7.1 does not properly handle "predefined entities definitions" in entities, which allows context-dependent attackers to cause a denial of service (memory consumption and application crash), as demonstrated by use of xmllint on a certain XML document, a different vulnerability than CVE-2003-1564 and CVE-2008-3281.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libxml2 | — | — |
| xmlsoft | libxml2 | — | — |
| xmlsoft | libxml2 | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
vendor_debian6.5LOW
vendor_redhat6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
libxml2: infinite loop when entity is used in entity definition
vendor_redhat·2008-10-02·CVSS 6.5
CVE-2008-4409 [MEDIUM] CWE-835 libxml2: infinite loop when entity is used in entity definition
libxml2: infinite loop when entity is used in entity definition
libxml2 2.7.0 and 2.7.1 does not properly handle "predefined entities definitions" in entities, which allows context-dependent attackers to cause a denial of service (memory consumption and application crash), as demonstrated by use of xmllint on a certain XML document, a different vulnerability than CVE-2003-1564 and CVE-2008-3281.
Statement: Not vulnerable. This issue did not affect the versions of libxml2 as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.
Debian
CVE-2008-4409: libxml2 - libxml2 2.7.0 and 2.7.1 does not properly handle "predefined entities definition...
vendor_debian·2008·CVSS 6.5
CVE-2008-4409 [MEDIUM] CVE-2008-4409: libxml2 - libxml2 2.7.0 and 2.7.1 does not properly handle "predefined entities definition...
libxml2 2.7.0 and 2.7.1 does not properly handle "predefined entities definitions" in entities, which allows context-dependent attackers to cause a denial of service (memory consumption and application crash), as demonstrated by use of xmllint on a certain XML document, a different vulnerability than CVE-2003-1564 and CVE-2008-3281.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
GHSA
GHSA-34h5-p5c9-pjw6: libxml2 2
ghsa_unreviewed·2022-05-02·CVSS 6.5
CVE-2008-4409 [MEDIUM] GHSA-34h5-p5c9-pjw6: libxml2 2
libxml2 2.7.0 and 2.7.1 does not properly handle "predefined entities definitions" in entities, which allows context-dependent attackers to cause a denial of service (memory consumption and application crash), as demonstrated by use of xmllint on a certain XML document, a different vulnerability than CVE-2003-1564 and CVE-2008-3281.
No detection rules found.
http://bugzilla.gnome.org/show_bug.cgi?id=554660http://lists.apple.com/archives/security-announce/2009/Jun/msg00005.htmlhttp://lists.apple.com/archives/security-announce/2009/jun/msg00002.htmlhttp://openwall.com/lists/oss-security/2008/10/02/4http://secunia.com/advisories/32130http://secunia.com/advisories/32175http://secunia.com/advisories/32974http://secunia.com/advisories/35379http://security.gentoo.org/glsa/glsa-200812-06.xmlhttp://support.apple.com/kb/HT3613http://support.apple.com/kb/HT3639http://www.mandriva.com/security/advisories?name=MDVSA-2008:212http://www.securityfocus.com/bid/31555http://www.vupen.com/english/advisories/2009/1522http://www.vupen.com/english/advisories/2009/1621https://exchange.xforce.ibmcloud.com/vulnerabilities/45633https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00125.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-October/msg00130.htmlhttp://bugzilla.gnome.org/show_bug.cgi?id=554660http://lists.apple.com/archives/security-announce/2009/Jun/msg00005.htmlhttp://lists.apple.com/archives/security-announce/2009/jun/msg00002.htmlhttp://openwall.com/lists/oss-security/2008/10/02/4http://secunia.com/advisories/32130http://secunia.com/advisories/32175http://secunia.com/advisories/32974http://secunia.com/advisories/35379http://security.gentoo.org/glsa/glsa-200812-06.xmlhttp://support.apple.com/kb/HT3613http://support.apple.com/kb/HT3639http://www.mandriva.com/security/advisories?name=MDVSA-2008:212http://www.securityfocus.com/bid/31555http://www.vupen.com/english/advisories/2009/1522http://www.vupen.com/english/advisories/2009/1621https://exchange.xforce.ibmcloud.com/vulnerabilities/45633https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00125.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-October/msg00130.html
2008-10-03
Published