CVE-2011-1755 — XML Entity Expansion in Jabberd2

CWE-776 — XML Entity Expansion10 documents7 sources

Severity

7.5HIGHNVD

CNA6.5OSV6.5

EPSS

8.5%

top 7.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jabberd2 Apple MAC OS X Apple MAC OS X Server +1 more

Timeline

PublishedJun 21

Latest updateMay 17

Description

jabberd2 before 2.2.14 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDjabberd2/jabberd2< 2.2.14

▶Debianjabberd2/jabberd2< 2.2.8-2.1+3

▶NVDapple/mac_os_x10.7.0 — 10.7.2+1

▶NVDapple/mac_os_x_server10.7.0 — 10.7.2+1

Also affects: Fedora 13, 14, 15

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-rpcf-xw9j-7c7j: jabberd2 before 2↗2022-05-17

▶

OSV

CVE-2011-1755: jabberd2 before 2↗2011-06-21

▶

CVEList

CVE-2011-1755: jabberd2 before 2↗2011-06-21

▶

📋Vendor Advisories

Red Hat

jabberd: DoS via the XML "billion laughs attack"↗2011-05-31

▶

Debian

CVE-2011-1755: jabberd2 - jabberd2 before 2.2.14 does not properly detect recursion during entity expansio...↗2011

▶

💬Community

Bugzilla

CVE-2011-1755 jabberd: DoS via the XML "billion laughs attack" [epel-5]↗2011-06-01

▶

Bugzilla

CVE-2011-1755 jabberd: DoS via the XML "billion laughs attack" [fedora-all]↗2011-06-01

▶

Bugzilla

CVE-2011-1755 jabberd: DoS via the XML "billion laughs attack" [epel-6]↗2011-06-01

▶

Bugzilla

CVE-2011-1755 jabberd: DoS via the XML "billion laughs attack"↗2011-04-28

▶