CVE-2012-0841
published 2012-12-21CVE-2012-0841: libxml2 before 2.8.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to…
PriorityP422medium5CVSS 2.0
AVNACLAuNCNINAP
EPSS
3.17%
86.4th percentile
libxml2 before 2.8.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data.
Affected
176 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | iphone_os | <= 6.1.4 | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0MEDIUM
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
libxml2 vulnerability
vendor_ubuntu·2012-02-27
CVE-2012-0841 libxml2 vulnerability
Title: libxml2 vulnerability
Summary: libxml2 could be made to cause a denial of service by consuming excessive
CPU resources.
Juraj Somorovsky discovered that libxml2 was vulnerable to hash table
collisions. If a user or application linked against libxml2 were tricked
into opening a specially crafted XML file, an attacker could cause a
denial of service.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Red Hat
libxml2: hash table collisions CPU usage DoS
vendor_redhat·2012-02-21·CVSS 5.0
CVE-2012-0841 [MEDIUM] CWE-407 libxml2: hash table collisions CPU usage DoS
libxml2: hash table collisions CPU usage DoS
libxml2 before 2.8.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data.
Package: libxml2 (Red Hat Enterprise Linux 4) - Affected
Debian
CVE-2012-0841: libxml2 - libxml2 before 2.8.0 computes hash values without restricting the ability to tri...
vendor_debian·2012·CVSS 5.0
CVE-2012-0841 [MEDIUM] CVE-2012-0841: libxml2 - libxml2 before 2.8.0 computes hash values without restricting the ability to tri...
libxml2 before 2.8.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data.
Scope: local
bookworm: resolved (fixed in 2.7.8.dfsg-8)
bullseye: resolved (fixed in 2.7.8.dfsg-8)
forky: resolved (fixed in 2.7.8.dfsg-8)
sid: resolved (fixed in 2.7.8.dfsg-8)
trixie: resolved (fixed in 2.7.8.dfsg-8)
GHSA
GHSA-339p-rqfr-wg3j: libxml2 before 2
ghsa_unreviewed·2022-05-17
CVE-2012-0841 [MEDIUM] GHSA-339p-rqfr-wg3j: libxml2 before 2
libxml2 before 2.8.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data.
OSV
CVE-2012-0841: libxml2 before 2
osv·2012-12-21·CVSS 5.0
CVE-2012-0841 [MEDIUM] CVE-2012-0841: libxml2 before 2
libxml2 before 2.8.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2012-0841 libxml2: hash table collisions CPU usage DoS [fedora-all]
bugzilla·2012-02-21·CVSS 5.0
CVE-2012-0841 [MEDIUM] CVE-2012-0841 libxml2: hash table collisions CPU usage DoS [fedora-all]
CVE-2012-0841 libxml2: hash table collisions CPU usage DoS [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bug
Bugzilla
CVE-2012-0841 libxml2: hash table collisions CPU usage DoS [epel-5]
bugzilla·2012-02-21·CVSS 5.0
CVE-2012-0841 [MEDIUM] CVE-2012-0841 libxml2: hash table collisions CPU usage DoS [epel-5]
CVE-2012-0841 libxml2: hash table collisions CPU usage DoS [epel-5]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=78
Bugzilla
CVE-2012-0841 libxml2: hash table collisions CPU usage DoS [fedora-all]
bugzilla·2012-02-21·CVSS 5.0
CVE-2012-0841 [MEDIUM] CVE-2012-0841 libxml2: hash table collisions CPU usage DoS [fedora-all]
CVE-2012-0841 libxml2: hash table collisions CPU usage DoS [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bug
Bugzilla
CVE-2012-0841 libxml2: hash table collisions CPU usage DoS
bugzilla·2012-02-03·CVSS 5.0
CVE-2012-0841 [MEDIUM] CVE-2012-0841 libxml2: hash table collisions CPU usage DoS
CVE-2012-0841 libxml2: hash table collisions CPU usage DoS
Juraj Somorovsky and Christopher Meyer reported that certain XML parsers/servers are affected by the same, or similar, flaw as the hash table collisions CPU usage denial of service. Sending a specially crafted message to an XML service can result in longer processing time, which could lead to a denial of service. It is reported that this attack on XML can be applied on different XML nodes (such as entities, element attributes, namespaces, various elements in the XML security, etc.).
libxml2 is written in C and makes significant use of arrays. I will contact
upstream to make them aware of this issue.
Discussion:
This is now public via:
http://git.gnome.org/browse/libxml2/commit/?id=8973d58b7498fa5100a876815476b81fd1a2412a
---
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660846http://git.gnome.org/browse/libxml2/commit/?id=8973d58b7498fa5100a876815476b81fd1a2412ahttp://lists.apple.com/archives/security-announce/2013/Oct/msg00009.htmlhttp://lists.apple.com/archives/security-announce/2013/Sep/msg00006.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-11/msg00002.htmlhttp://rhn.redhat.com/errata/RHSA-2012-0324.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0217.htmlhttp://secunia.com/advisories/54886http://secunia.com/advisories/55568http://securitytracker.com/id?1026723http://support.apple.com/kb/HT5934http://support.apple.com/kb/HT6001http://www.debian.org/security/2012/dsa-2417http://www.mandriva.com/security/advisories?name=MDVSA-2013:150http://www.openwall.com/lists/oss-security/2012/02/22/1http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.htmlhttp://www.securityfocus.com/bid/52107http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdfhttp://xmlsoft.org/news.htmlhttps://blogs.oracle.com/sunsecurity/entry/cve_2012_0841_denial_ofhttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660846http://git.gnome.org/browse/libxml2/commit/?id=8973d58b7498fa5100a876815476b81fd1a2412ahttp://lists.apple.com/archives/security-announce/2013/Oct/msg00009.htmlhttp://lists.apple.com/archives/security-announce/2013/Sep/msg00006.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-11/msg00002.htmlhttp://rhn.redhat.com/errata/RHSA-2012-0324.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0217.htmlhttp://secunia.com/advisories/54886http://secunia.com/advisories/55568http://securitytracker.com/id?1026723http://support.apple.com/kb/HT5934http://support.apple.com/kb/HT6001http://www.debian.org/security/2012/dsa-2417http://www.mandriva.com/security/advisories?name=MDVSA-2013:150http://www.openwall.com/lists/oss-security/2012/02/22/1http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.htmlhttp://www.securityfocus.com/bid/52107http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdfhttp://xmlsoft.org/news.htmlhttps://blogs.oracle.com/sunsecurity/entry/cve_2012_0841_denial_of
2012-12-21
Published