CVE-2012-2825
published 2012-06-27CVE-2012-2825: The XSL implementation in Google Chrome before 20.0.1132.43 allows remote attackers to cause a denial of service (incorrect read operation) via unspecified…
PriorityP419medium5CVSS 2.0
AVNACLAuNCNINAP
EPSS
2.12%
79.6th percentile
The XSL implementation in Google Chrome before 20.0.1132.43 allows remote attackers to cause a denial of service (incorrect read operation) via unspecified vectors.
Affected
130 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libxslt | < libxslt 1.1.26-13 (bookworm) | libxslt 1.1.26-13 (bookworm) |
| debian | libxslt | — | — |
| chrome | <= 20.0.1132.42 | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0LOW
vendor_redhat5.0MEDIUM
vendor_ubuntu4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VMware
VMware vSphere security updates for the authentication service and third party libraries
vendor_vmware·2013-01-31·CVSS 10.0
CVE-2011-1202 [CRITICAL] VMware vSphere security updates for the authentication service and third party libraries
VMSA-2013-0001: VMware vSphere security updates for the authentication service and third party libraries
a. VMware vSphere client-side authentication memory corruption vulnerability VMware vCenter Server, vSphere Client, and ESX contain a vulnerability in the handling of the management authentication protocol. To exploit this vulnerability, an attacker must convince either vCenter Server, vSphere Client or ESX to interact with a malicious server as a client. Exploitation of the issue may lead to code execution on the client system. To reduce the likelihood of exploitation, vSphere components should be deployed on an isolated management network. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2013-1405 to this issue. Column 4 of the following tabl
Debian
CVE-2013-4520: libxslt - xslt.c in libxslt before 1.1.25 allows context-dependent attackers to cause a de...
vendor_debian·2013·CVSS 5.0
CVE-2013-4520 [MEDIUM] CVE-2013-4520: libxslt - xslt.c in libxslt before 1.1.25 allows context-dependent attackers to cause a de...
xslt.c in libxslt before 1.1.25 allows context-dependent attackers to cause a denial of service (crash) via a stylesheet that embeds a DTD, which causes a structure to be accessed as a different type. NOTE: this issue is due to an incomplete fix for CVE-2012-2825.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
VMware
VMware security updates for vCSA, vCenter Server, and ESXi
vendor_vmware·2012-12-20·CVSS 4.0
CVE-2009-5029 [MEDIUM] VMware security updates for vCSA, vCenter Server, and ESXi
VMSA-2012-0018: VMware security updates for vCSA, vCenter Server, and ESXi
a. vCenter Server Appliance directory traversal The vCenter Server Appliance (vCSA) contains a directory traversal vulnerability that allows an authenticated remote user to retrieve arbitrary files. Exploitation of this issue may expose sensitive information stored on the server. VMware would like to thank Alexander Minozhenko from ERPScan for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-6324 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Product Version Running on Replace with/ Apply Patch VMware Product vCSA Product Vers
Ubuntu
libxslt vulnerabilities
vendor_ubuntu·2012-10-04·CVSS 4.3
CVE-2011-1202 [MEDIUM] libxslt vulnerabilities
Title: libxslt vulnerabilities
Summary: Applications using libxslt could be made to crash or run programs as your
login if they processed a specially crafted file.
Chris Evans discovered that libxslt incorrectly handled generate-id XPath
functions. If a user or automated system were tricked into processing a
specially crafted XSLT document, a remote attacker could obtain potentially
sensitive information. This issue only affected Ubuntu 8.04 LTS, Ubuntu
10.04 LTS and Ubuntu 11.04. (CVE-2011-1202)
It was discovered that libxslt incorrectly parsed certain patterns. If a
user or automated system were tricked into processing a specially crafted
XSLT document, a remote attacker could cause libxslt to crash, causing a
denial of service. (CVE-2011-3970)
Nicholas Gregoire discovered that libxs
Red Hat
libxslt: DoS when reading unexpected DTD nodes in XSLT
vendor_redhat·2012-06-26·CVSS 5.0
CVE-2012-2825 [MEDIUM] libxslt: DoS when reading unexpected DTD nodes in XSLT
libxslt: DoS when reading unexpected DTD nodes in XSLT
The XSL implementation in Google Chrome before 20.0.1132.43 allows remote attackers to cause a denial of service (incorrect read operation) via unspecified vectors.
Package: libxslt (Red Hat Enterprise Linux 4) - Will not fix
Debian
CVE-2012-2825: libxslt - The XSL implementation in Google Chrome before 20.0.1132.43 allows remote attack...
vendor_debian·2012·CVSS 5.0
CVE-2012-2825 [MEDIUM] CVE-2012-2825: libxslt - The XSL implementation in Google Chrome before 20.0.1132.43 allows remote attack...
The XSL implementation in Google Chrome before 20.0.1132.43 allows remote attackers to cause a denial of service (incorrect read operation) via unspecified vectors.
Scope: local
bookworm: resolved (fixed in 1.1.26-13)
bullseye: resolved (fixed in 1.1.26-13)
forky: resolved (fixed in 1.1.26-13)
sid: resolved (fixed in 1.1.26-13)
trixie: resolved (fixed in 1.1.26-13)
Red Hat
libxslt: DoS when reading unexpected DTD nodes in XSLT in versions prior to 1.1.25
vendor_redhat·2009-09-16·CVSS 5.0
CVE-2013-4520 [MEDIUM] libxslt: DoS when reading unexpected DTD nodes in XSLT in versions prior to 1.1.25
libxslt: DoS when reading unexpected DTD nodes in XSLT in versions prior to 1.1.25
xslt.c in libxslt before 1.1.25 allows context-dependent attackers to cause a denial of service (crash) via a stylesheet that embeds a DTD, which causes a structure to be accessed as a different type. NOTE: this issue is due to an incomplete fix for CVE-2012-2825.
Statement: Not vulnerable. This issue was corrected in Red Hat Enterprise Linux 5 via RHSA-2012:1265. It did not affect Red Hat Enterprise Linux 6.
Package: libxslt (Red Hat Enterprise Linux 4) - Will not fix
Package: libxslt (Red Hat Enterprise Linux 5) - Not affected
Package: libxslt (Red Hat Enterprise Linux 6) - Not affected
GHSA
GHSA-fj65-38p4-j4mp: The XSL implementation in Google Chrome before 20
ghsa_unreviewed·2022-05-17
CVE-2012-2825 [MEDIUM] CWE-20 GHSA-fj65-38p4-j4mp: The XSL implementation in Google Chrome before 20
The XSL implementation in Google Chrome before 20.0.1132.43 allows remote attackers to cause a denial of service (incorrect read operation) via unspecified vectors.
GHSA
GHSA-762m-frp4-phf3: xslt
ghsa_unreviewed·2022-05-17·CVSS 5.0
CVE-2013-4520 [MEDIUM] GHSA-762m-frp4-phf3: xslt
xslt.c in libxslt before 1.1.25 allows context-dependent attackers to cause a denial of service (crash) via a stylesheet that embeds a DTD, which causes a structure to be accessed as a different type. NOTE: this issue is due to an incomplete fix for CVE-2012-2825.
OSV
CVE-2012-2825: The XSL implementation in Google Chrome before 20
osv·2012-06-27·CVSS 5.0
CVE-2012-2825 [MEDIUM] CVE-2012-2825: The XSL implementation in Google Chrome before 20
The XSL implementation in Google Chrome before 20.0.1132.43 allows remote attackers to cause a denial of service (incorrect read operation) via unspecified vectors.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2013-4520 libxslt: DoS when reading unexpected DTD nodes in XSLT in versions prior to 1.1.25
bugzilla·2013-11-06·CVSS 5.0
CVE-2013-4520 [MEDIUM] CVE-2013-4520 libxslt: DoS when reading unexpected DTD nodes in XSLT in versions prior to 1.1.25
CVE-2013-4520 libxslt: DoS when reading unexpected DTD nodes in XSLT in versions prior to 1.1.25
It was reported that the fix for CVE-2012-2825 was incomplete for versions of libxslt prior to 1.1.25. The same flaw is still present in those older versions of libxslt without this additional fix:
https://gitorious.org/libxslt/libxslt/commit/7089a62b8f133b42a2981cf1f920a8b3fe9a8caa
This never affected the versions of libxslt as provided with Red Hat Enterprise Linux 6 or Fedora. It was also corrected in Red Hat Enterprise Linux 5's libxslt as fixed with CVE-2012-2825 (RHSA-2012:1265) as the patch was included in our packages as noted in the changelog.
- CVE-2012-2825 requires an extra patch on 1.1.17
Statement:
Not vulnerable. This issue was corrected in Red Hat Enterprise Linux 5 via R
Bugzilla
CVE-2012-2825 CVE-2012-2871 CVE-2012-2870 libxslt various flaws [fedora-all]
bugzilla·2012-06-27·CVSS 5.0
CVE-2012-2825 [MEDIUM] CVE-2012-2825 CVE-2012-2871 CVE-2012-2870 libxslt various flaws [fedora-all]
CVE-2012-2825 CVE-2012-2871 CVE-2012-2870 libxslt various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=securit
Bugzilla
CVE-2012-2825 libxslt: DoS when reading unexpected DTD nodes in XSLT
bugzilla·2012-06-27·CVSS 5.0
CVE-2012-2825 [MEDIUM] CVE-2012-2825 libxslt: DoS when reading unexpected DTD nodes in XSLT
CVE-2012-2825 libxslt: DoS when reading unexpected DTD nodes in XSLT
The Google Chrome 20 release announcement [1] noted and fixed a flaw in libxslt:
* [$500] [127417] Medium CVE-2012-2825: Wild read in XSL handling. Credit to Nicholas Gregoire.
This has been corrected in the Chromium git repository [2]; the upstream fix is noted as pending.
[1] http://googlechromereleases.blogspot.de/2012/06/stable-channel-update_26.html
[2] http://git.chromium.org/gitweb/?p=chromium/src.git;a=patch;h=bb7bfb81c158268fb242292b7e0fbd2d3b933d09
Discussion:
Created libxslt tracking bugs for this issue
Affects: fedora-all [bug 835983]
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 5
Via RHSA-2012:1265 https://rhn.redhat.com/errata/RHSA-20
arXiv
CyNER: A Python Library for Cybersecurity Named Entity Recognition
arxiv_fulltext·2022-04-08
CyNER: A Python Library for Cybersecurity Named Entity Recognition
## Abstract
Open Cyber threat intelligence (OpenCTI) information is available in an unstructured format from heterogeneous sources on the Internet. We present CyNER, an open-source python library for cybersecurity named entity recognition (NER). CyNER combines transformer-based models for extracting cybersecurity-related entities, heuristics for extracting different indicators of compromise, and publicly available NER models for generic entity types. We provide models trained on a diverse corpus that users can readily use. Events are described as classes in previous research - MALOnt2.0 and MALOnt and together extract a wide range of malware attack details from a threat intelligence corpus. The user can combine predictions from multiple different approaches to suit their needs. The librar
http://code.google.com/p/chromium/issues/detail?id=127417http://googlechromereleases.blogspot.com/2012/06/stable-channel-update_26.htmlhttp://lists.apple.com/archives/security-announce/2013/Oct/msg00009.htmlhttp://lists.apple.com/archives/security-announce/2013/Sep/msg00006.htmlhttp://secunia.com/advisories/54886http://support.apple.com/kb/HT5934http://support.apple.com/kb/HT6001https://hermes.opensuse.org/messages/15075728https://www.suse.com/support/update/announcement/2013/suse-su-20131654-1.htmlhttps://www.suse.com/support/update/announcement/2013/suse-su-20131656-1.htmlhttp://code.google.com/p/chromium/issues/detail?id=127417http://googlechromereleases.blogspot.com/2012/06/stable-channel-update_26.htmlhttp://lists.apple.com/archives/security-announce/2013/Oct/msg00009.htmlhttp://lists.apple.com/archives/security-announce/2013/Sep/msg00006.htmlhttp://secunia.com/advisories/54886http://support.apple.com/kb/HT5934http://support.apple.com/kb/HT6001https://hermes.opensuse.org/messages/15075728https://www.suse.com/support/update/announcement/2013/suse-su-20131654-1.htmlhttps://www.suse.com/support/update/announcement/2013/suse-su-20131656-1.html
2012-06-27
Published