CVE-2012-2921
published 2012-05-21CVE-2012-2921: Universal Feed Parser (aka feedparser or python-feedparser) before 5.1.2 allows remote attackers to cause a denial of service (memory consumption) via a…
PriorityP422medium5CVSS 2.0
AVNACLAuNCNINAP
EPSS
1.86%
76.6th percentile
Universal Feed Parser (aka feedparser or python-feedparser) before 5.1.2 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML ENTITY declaration in a non-ASCII encoded document.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | feedparser | < feedparser 5.1.2-1 (bookworm) | feedparser 5.1.2-1 (bookworm) |
| mark_pilgrim | feedparser | <= 5.1.1 | — |
| mark_pilgrim | feedparser | — | — |
| mark_pilgrim | feedparser | — | — |
| mark_pilgrim | feedparser | — | — |
| mark_pilgrim | feedparser | — | — |
| mark_pilgrim | feedparser | — | — |
| mark_pilgrim | feedparser | — | — |
| mark_pilgrim | feedparser | — | — |
| mark_pilgrim | feedparser | — | — |
| mark_pilgrim | feedparser | — | — |
| mark_pilgrim | feedparser | — | — |
| mark_pilgrim | feedparser | — | — |
| mark_pilgrim | feedparser | — | — |
| mark_pilgrim | feedparser | — | — |
| mark_pilgrim | feedparser | >= 0 < 5.1.2-1 | 5.1.2-1 |
| mark_pilgrim | feedparser | >= 0 < 5.1.2-1 | 5.1.2-1 |
| mark_pilgrim | feedparser | >= 0 < 5.1.2-1 | 5.1.2-1 |
| mark_pilgrim | feedparser | >= 0 < 5.1.2-1 | 5.1.2-1 |
| mark_pilgrim | feedparser | >= 0 < 5.1.2 | 5.1.2 |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
feedparser denial of service vulnerability
osv·2018-07-24
CVE-2012-2921 [HIGH] feedparser denial of service vulnerability
feedparser denial of service vulnerability
Universal Feed Parser (aka feedparser or python-feedparser) before 5.1.2 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML ENTITY declaration in a non-ASCII encoded document.
GHSA
feedparser denial of service vulnerability
ghsa·2018-07-24
CVE-2012-2921 [HIGH] CWE-611 feedparser denial of service vulnerability
feedparser denial of service vulnerability
Universal Feed Parser (aka feedparser or python-feedparser) before 5.1.2 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML ENTITY declaration in a non-ASCII encoded document.
OSV
CVE-2012-2921: Universal Feed Parser (aka feedparser or python-feedparser) before 5
osv·2012-05-21·CVSS 5.0
CVE-2012-2921 [MEDIUM] CVE-2012-2921: Universal Feed Parser (aka feedparser or python-feedparser) before 5
Universal Feed Parser (aka feedparser or python-feedparser) before 5.1.2 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML ENTITY declaration in a non-ASCII encoded document.
Ubuntu
feedparser vulnerability
vendor_ubuntu·2012-05-22
CVE-2012-2921 feedparser vulnerability
Title: feedparser vulnerability
Summary: Applications using feedparser could be made to crash if they fetched a
specially crafted feed.
It was discovered that feedparser did not properly sanitize ENTITY
declarations in encoded fields. A remote attacker could exploit this to
cause a denial of service via memory exhaustion.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2012-2921: feedparser - Universal Feed Parser (aka feedparser or python-feedparser) before 5.1.2 allows ...
vendor_debian·2012·CVSS 5.0
CVE-2012-2921 [MEDIUM] CVE-2012-2921: feedparser - Universal Feed Parser (aka feedparser or python-feedparser) before 5.1.2 allows ...
Universal Feed Parser (aka feedparser or python-feedparser) before 5.1.2 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML ENTITY declaration in a non-ASCII encoded document.
Scope: local
bookworm: resolved (fixed in 5.1.2-1)
bullseye: resolved (fixed in 5.1.2-1)
forky: resolved (fixed in 5.1.2-1)
sid: resolved (fixed in 5.1.2-1)
trixie: resolved (fixed in 5.1.2-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2012-2921 python-feedparser: DoS via memory consumption processing ENTITY declarations [fedora-all]
bugzilla·2012-05-23·CVSS 5.0
CVE-2012-2921 [MEDIUM] CVE-2012-2921 python-feedparser: DoS via memory consumption processing ENTITY declarations [fedora-all]
CVE-2012-2921 python-feedparser: DoS via memory consumption processing ENTITY declarations [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org
Bugzilla
CVE-2012-2921 python-feedparser: DoS via memory consumption processing ENTITY declarations
bugzilla·2012-05-23·CVSS 5.0
CVE-2012-2921 [MEDIUM] CVE-2012-2921 python-feedparser: DoS via memory consumption processing ENTITY declarations
CVE-2012-2921 python-feedparser: DoS via memory consumption processing ENTITY declarations
A denial of service flaw was reported and fixed in feedparser, a module for parsing atom and RSS feeds in python. Previously, ENTITY declarations could be used to create a denial of service through exponential memory consumption, by allowing such declarations to hide in non-ASCII-compatible encoded documents. Feedparser now first normalizes the encoding and then replaces the DOCTYPE and ENTITY declarations.
This is corrected in upstream version 5.1.2 [1] and svn r703 [2].
[1] http://freecode.com/projects/feedparser/releases/344371
[2] https://code.google.com/p/feedparser/source/detail?r=703&path=/trunk/feedparser/feedparser.py
Discussion:
Created python-feedparser tracking bugs for this issue
A
Bugzilla
CVE-2012-2921 python-feedparser: DoS via memory consumption processing ENTITY declarations [epel-all]
bugzilla·2012-05-23·CVSS 5.0
CVE-2012-2921 [MEDIUM] CVE-2012-2921 python-feedparser: DoS via memory consumption processing ENTITY declarations [epel-all]
CVE-2012-2921 python-feedparser: DoS via memory consumption processing ENTITY declarations [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/u
http://freecode.com/projects/feedparser/releases/344371http://osvdb.org/81701http://secunia.com/advisories/49256http://www.mandriva.com/security/advisories?name=MDVSA-2013:118http://www.securityfocus.com/bid/53654https://code.google.com/p/feedparser/source/browse/trunk/NEWS?spec=svn706&r=706https://code.google.com/p/feedparser/source/detail?r=703&path=/trunk/feedparser/feedparser.pyhttps://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0157http://freecode.com/projects/feedparser/releases/344371http://osvdb.org/81701http://secunia.com/advisories/49256http://www.mandriva.com/security/advisories?name=MDVSA-2013:118http://www.securityfocus.com/bid/53654https://code.google.com/p/feedparser/source/browse/trunk/NEWS?spec=svn706&r=706https://code.google.com/p/feedparser/source/detail?r=703&path=/trunk/feedparser/feedparser.pyhttps://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0157
2012-05-21
Published