CVE-2012-0876

CWE-400Uncontrolled Resource ConsumptionCWE-407CWE-33115 documents9 sources
Severity
4.3MEDIUM
EPSS
0.3%
top 46.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
11
Libexpat Project LibexpatPython PythonCanonical Ubuntu Linux+8 more
Timeline
PublishedJul 3
Latest updateMay 13

Description

The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value.

CVSS vector

AV:N/AC:M/C:N/I:N/A:PExploitability: 8.6 | Impact: 2.9

Affected Packages9 packages

Debianexpat< 2.1.0~beta3-1+3
NVDpython/python2.6.02.6.8+3
Debianxmlrpc-c< 1.16.33-3.2+3
NVDoracle/solaris11.3

Also affects: Debian Linux 6.0, 7.0, Ubuntu Linux 10.04, 11.04, 11.10, 12.04, 8.04, Enterprise Linux 6.2

🔴Vulnerability Details

3
GHSA
GHSA-q8w9-7fww-v592: The XML parser (xmlparse2022-05-13
CVEList
CVE-2012-0876: The XML parser (xmlparse2012-07-03
OSV
CVE-2012-0876: The XML parser (xmlparse2012-07-03

📋Vendor Advisories

8
Red Hat
expat: Little entropy used for hash initialization2016-06-04
Ubuntu
Python 2.5 vulnerabilities2012-10-17
Ubuntu
Python 2.4 vulnerabilities2012-10-17
Ubuntu
XML-RPC for C and C++ vulnerabilities2012-09-10
Ubuntu
Expat vulnerabilities2012-08-10

💬Community

3
Bugzilla
CVE-2016-5300 expat: Little entropy used for hash initialization2016-06-06
Bugzilla
CVE-2012-1148 CVE-2012-0876 compat-expat1 various flaws [fedora-all]2013-07-09
Bugzilla
CVE-2012-0876 expat: hash table collisions CPU usage DoS2012-02-01