CVE-2013-0338
published 2013-04-25CVE-2013-0338: libxml2 2.9.0 and earlier allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via an XML file containing an entity…
PriorityP419medium4.3CVSS 2.0
AVNACMAuNCNINAP
EPSS
2.97%
85.6th percentile
libxml2 2.9.0 and earlier allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, aka "internal entity expansion" with linear complexity.
Affected
141 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | libxml2 | < libxml2 2.8.0+dfsg1-7+nmu1 (bookworm) | libxml2 2.8.0+dfsg1-7+nmu1 (bookworm) |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
| oracle | fusion_middleware | — | — |
| oracle | fusion_middleware | — | — |
| oracle | fusion_middleware | — | — |
| xmlsoft | libxml2 | <= 2.9.0 | — |
| xmlsoft | libxml2 | — | — |
| xmlsoft | libxml2 | — | — |
| xmlsoft | libxml2 | — | — |
| xmlsoft | libxml2 | — | — |
| xmlsoft | libxml2 | — | — |
| xmlsoft | libxml2 | — | — |
| xmlsoft | libxml2 | — | — |
| xmlsoft | libxml2 | — | — |
| xmlsoft | libxml2 | — | — |
| xmlsoft | libxml2 | — | — |
| xmlsoft | libxml2 | — | — |
| xmlsoft | libxml2 | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv4.3MEDIUM
vendor_debian4.3MEDIUM
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VMware
VMware vCenter Chargeback Manager Remote Code Execution
vendor_vmware·2013-06-11·CVSS 5.0
CVE-2013-0166 [MEDIUM] VMware vCenter Chargeback Manager Remote Code Execution
VMSA-2013-0008: VMware vCenter Chargeback Manager Remote Code Execution
a. vCenter Chargeback Manager Remote Code Execution The vCenter Chargeback Manager (CBM) contains a flaw in its handling of file uploads. Exploitation of this issue may allow an unauthenticated attacker to execute code remotely. VMware would like to thank Andrea Micalizzi, aka rgod, for reporting this issue to us through HP's Zero Day Initiative (ZDI). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-3520 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Product Version Running on Replace with / Apply Patch VMware Product CBM Product Version 2.01 Running on an
Ubuntu
libxml2 vulnerability
vendor_ubuntu·2013-03-28
CVE-2013-0338 libxml2 vulnerability
Title: libxml2 vulnerability
Summary: libxml2 could be made to hang if it received specially crafted input.
It was discovered that libxml2 incorrectly handled XML entity expansion.
An attacker could use this flaw to cause libxml2 to consume large amounts
of resources, resulting in a denial of service.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Red Hat
libxml2: CPU consumption DoS when performing string substitutions during entities expansion
vendor_redhat·2013-02-19·CVSS 4.3
CVE-2013-0338 [MEDIUM] libxml2: CPU consumption DoS when performing string substitutions during entities expansion
libxml2: CPU consumption DoS when performing string substitutions during entities expansion
libxml2 2.9.0 and earlier allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, aka "internal entity expansion" with linear complexity.
Package: mingw32-libxml2 (Red Hat Enterprise Linux 6) - Will not fix
Debian
CVE-2013-0338: libxml2 - libxml2 2.9.0 and earlier allows context-dependent attackers to cause a denial o...
vendor_debian·2013·CVSS 4.3
CVE-2013-0338 [MEDIUM] CVE-2013-0338: libxml2 - libxml2 2.9.0 and earlier allows context-dependent attackers to cause a denial o...
libxml2 2.9.0 and earlier allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, aka "internal entity expansion" with linear complexity.
Scope: local
bookworm: resolved (fixed in 2.8.0+dfsg1-7+nmu1)
bullseye: resolved (fixed in 2.8.0+dfsg1-7+nmu1)
forky: resolved (fixed in 2.8.0+dfsg1-7+nmu1)
sid: resolved (fixed in 2.8.0+dfsg1-7+nmu1)
trixie: resolved (fixed in 2.8.0+dfsg1-7+nmu1)
GHSA
GHSA-39pv-g7w9-q7vv: Unspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 11
ghsa_unreviewed·2022-05-17·CVSS 4.3
CVE-2015-0386 [MEDIUM] GHSA-39pv-g7w9-q7vv: Unspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 11
Unspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 allows remote attackers to affect availability via unknown vectors related to Web Listener, a different vulnerability than CVE-2013-0338, CVE-2013-2877, and CVE-2014-0191.
GHSA
GHSA-pvmp-h985-7qh3: libxml2 2
ghsa_unreviewed·2022-05-05
CVE-2013-0338 [MEDIUM] CWE-119 GHSA-pvmp-h985-7qh3: libxml2 2
libxml2 2.9.0 and earlier allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, aka "internal entity expansion" with linear complexity.
OSV
CVE-2013-0338: libxml2 2
osv·2013-04-25·CVSS 4.3
CVE-2013-0338 [MEDIUM] CVE-2013-0338: libxml2 2
libxml2 2.9.0 and earlier allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, aka "internal entity expansion" with linear complexity.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2013-0339 libxml2: CPU consumption DoS and other effects when performing string substitutions during external entities expansion
bugzilla·2013-02-25·CVSS 4.3
CVE-2013-0339 [MEDIUM] CVE-2013-0339 libxml2: CPU consumption DoS and other effects when performing string substitutions during external entities expansion
CVE-2013-0339 libxml2: CPU consumption DoS and other effects when performing string substitutions during external entities expansion
A denial of service flaw was found in the way libxml2, a library providing support to read, modify and write XML and HTML files, performed string substitutions when entity values for external entity references replacement (--noent option) was requested / enabled during the XML file parsing. A remote attacker could provide a specially-crafted XML file containing an external entity expansion, when processed would lead to excessive CPU consumption (denial of service).
This a different flaw from CVE-2013-0338.
Upstream patch:
http://git.gnome.org/browse/libxml2/commit/?id=23f05e0c33987d6605387b300c4be5da2120a7ab
Discussion:
Reference:
http://seclists.org/o
Bugzilla
CVE-2013-0338 libxml2: CPU consumption DoS when performing string substitutions during entities expansion
bugzilla·2013-02-18·CVSS 6.5
CVE-2013-0338 [MEDIUM] CVE-2013-0338 libxml2: CPU consumption DoS when performing string substitutions during entities expansion
CVE-2013-0338 libxml2: CPU consumption DoS when performing string substitutions during entities expansion
A denial of service flaw was found in the way libxml2, a library providing support to read, modify and write XML and HTML files, performed string substitutions when entity values for entity references replacement (--noent option) was requested / enabled during the XML file parsing. A remote attacker could provide a specially-crafted XML file that, when processed would lead to excessive CPU consumption (denial of service).
Discussion:
This issue affects the versions of the libxml2 package, as shipped with Red Hat Enterprise Linux 5 and 6.
--
This issue affects the versions of the libxml2 package, as shipped with Fedora release of 17 and 18.
--
This issue affects the versions of t
http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00002.htmlhttp://lists.opensuse.org/opensuse-updates/2013-03/msg00112.htmlhttp://lists.opensuse.org/opensuse-updates/2013-03/msg00114.htmlhttp://marc.info/?l=bugtraq&m=142798889927587&w=2http://secunia.com/advisories/52662http://secunia.com/advisories/55568http://www.debian.org/security/2013/dsa-2652http://www.mandriva.com/security/advisories?name=MDVSA-2013:056http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.htmlhttp://www.ubuntu.com/usn/USN-1782-1https://bugzilla.redhat.com/show_bug.cgi?id=912400https://git.gnome.org/browse/libxml2/commit/?id=23f05e0c33987d6605387b300c4be5da2120a7abhttp://lists.opensuse.org/opensuse-security-announce/2013-11/msg00002.htmlhttp://lists.opensuse.org/opensuse-updates/2013-03/msg00112.htmlhttp://lists.opensuse.org/opensuse-updates/2013-03/msg00114.htmlhttp://marc.info/?l=bugtraq&m=142798889927587&w=2http://secunia.com/advisories/52662http://secunia.com/advisories/55568http://www.debian.org/security/2013/dsa-2652http://www.mandriva.com/security/advisories?name=MDVSA-2013:056http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.htmlhttp://www.ubuntu.com/usn/USN-1782-1https://bugzilla.redhat.com/show_bug.cgi?id=912400https://git.gnome.org/browse/libxml2/commit/?id=23f05e0c33987d6605387b300c4be5da2120a7ab
2013-04-25
Published