CVE-2013-0340

CWE-611 — XML External Entity (XXE)13 documents8 sources

Severity

6.8MEDIUM

EPSS

0.1%

top 81.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple Ipados Apple Iphone OS Apple Macos +5 more

Timeline

PublishedJan 21

Latest updateMay 5

Description

expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for reso…

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages9 packages

▶NVDlibexpat_project/libexpat< 2.4.0

▶Debianexpat< 2.4.1-2+2

▶NVDapple/tvos< 15.0

▶NVDapple/macos< 11.6

▶NVDapple/ipados< 14.8

🔴Vulnerability Details

GHSA

GHSA-w3v2-46wf-pq33: expat 2↗2022-05-05

▶

CVEList

CVE-2013-0340: expat before version 2↗2014-01-21

▶

OSV

CVE-2013-0340: expat before version 2↗2014-01-21

▶

📋Vendor Advisories

Apple

CVE-2013-0340: iOS 15 and iPadOS 15↗2021-09-20

▶

Apple

CVE-2013-0340: watchOS 8↗2021-09-20

▶

Apple

CVE-2013-0340: tvOS 15↗2021-09-20

▶

Apple

CVE-2013-0340: iOS 14.8 and iPadOS 14.8↗2021-09-13

▶

Apple

CVE-2013-0340: Security Update 2021-005 Catalina↗2021-09-13

▶

💬Community

Bugzilla

CVE-2013-0340 expat: internal entity expansion↗2013-08-22

▶