CVE-2013-2877
published 2013-07-10CVE-2013-2877: parser.c in libxml2 before 2.9.0, as used in Google Chrome before 28.0.1500.71 and other products, allows remote attackers to cause a denial of service…
PriorityP423medium5CVSS 2.0
AVNACLAuNCNINAP
EPSS
4.73%
90.7th percentile
parser.c in libxml2 before 2.9.0, as used in Google Chrome before 28.0.1500.71 and other products, allows remote attackers to cause a denial of service (out-of-bounds read) via a document that ends abruptly, related to the lack of certain checks for the XML_PARSER_EOF state.
Affected
199 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libxml2 | < libxml2 2.9.1+dfsg1-1 (bookworm) | libxml2 2.9.1+dfsg1-1 (bookworm) |
| chrome | <= 28.0.1500.70 | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_ubuntu6.8MEDIUM
vendor_debian5.0MEDIUM
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VMware
VMware vSphere product updates address security vulnerabilities
vendor_vmware·2014-12-04·CVSS 4.3
CVE-2013-1752 [MEDIUM] VMware vSphere product updates address security vulnerabilities
VMSA-2014-0012: VMware vSphere product updates address security vulnerabilities
a. VMware vCSA cross-site scripting vulnerability VMware vCenter Server Appliance (vCSA) contains a vulnerability that may allow for Cross Site Scripting. Exploitation of this vulnerability in vCenter Server requires tricking a user to click on a malicious link or to open a malicious web page. VMware would like to thank Tanya Secker of Trustwave SpiderLabs for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-3797 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Product Version Running on Replace with/ Apply Patch VMware Pro
Ubuntu
libxml2 regression
vendor_ubuntu·2013-07-17·CVSS 6.8
[MEDIUM] libxml2 regression
Title: libxml2 regression
Summary: USN-1904-1 introduced a regression in libxml2.
USN-1904-1 fixed vulnerabilities in libxml2. The update caused a regression
for certain users. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that libxml2 would load XML external entities by default.
If a user or automated system were tricked into opening a specially crafted
document, an attacker could possibly obtain access to arbitrary files or
cause resource consumption. This issue only affected Ubuntu 10.04 LTS,
Ubuntu 12.04 LTS, and Ubuntu 12.10. (CVE-2013-0339)
It was discovered that libxml2 incorrectly handled documents that end
abruptly. If a user or automated system were tricked into opening a
specially crafted document, an attack
Ubuntu
libxml2 vulnerabilities
vendor_ubuntu·2013-07-15·CVSS 6.8
CVE-2013-0339 [MEDIUM] libxml2 vulnerabilities
Title: libxml2 vulnerabilities
Summary: Several security issues were fixed in libxml2.
It was discovered that libxml2 would load XML external entities by default.
If a user or automated system were tricked into opening a specially crafted
document, an attacker could possibly obtain access to arbitrary files or
cause resource consumption. This issue only affected Ubuntu 10.04 LTS,
Ubuntu 12.04 LTS, and Ubuntu 12.10. (CVE-2013-0339)
It was discovered that libxml2 incorrectly handled documents that end
abruptly. If a user or automated system were tricked into opening a
specially crafted document, an attacker could possibly cause libxml2 to
crash, resulting in a denial of service. (CVE-2013-2877)
Instructions: After a standard system update you need to reboot your computer to make all
the
Red Hat
libxml2: Out-of-bounds read via a document that ends abruptly
vendor_redhat·2013-07-09·CVSS 5.0
CVE-2013-2877 [MEDIUM] CWE-125 libxml2: Out-of-bounds read via a document that ends abruptly
libxml2: Out-of-bounds read via a document that ends abruptly
parser.c in libxml2 before 2.9.0, as used in Google Chrome before 28.0.1500.71 and other products, allows remote attackers to cause a denial of service (out-of-bounds read) via a document that ends abruptly, related to the lack of certain checks for the XML_PARSER_EOF state.
Package: libxml2 (Red Hat Enterprise Linux 5) - Will not fix
Package: mingw32-libxml2 (Red Hat Enterprise Linux 6) - Will not fix
Debian
CVE-2013-2877: libxml2 - parser.c in libxml2 before 2.9.0, as used in Google Chrome before 28.0.1500.71 a...
vendor_debian·2013·CVSS 5.0
CVE-2013-2877 [MEDIUM] CVE-2013-2877: libxml2 - parser.c in libxml2 before 2.9.0, as used in Google Chrome before 28.0.1500.71 a...
parser.c in libxml2 before 2.9.0, as used in Google Chrome before 28.0.1500.71 and other products, allows remote attackers to cause a denial of service (out-of-bounds read) via a document that ends abruptly, related to the lack of certain checks for the XML_PARSER_EOF state.
Scope: local
bookworm: resolved (fixed in 2.9.1+dfsg1-1)
bullseye: resolved (fixed in 2.9.1+dfsg1-1)
forky: resolved (fixed in 2.9.1+dfsg1-1)
sid: resolved (fixed in 2.9.1+dfsg1-1)
trixie: resolved (fixed in 2.9.1+dfsg1-1)
GHSA
GHSA-fx83-qvvj-7h25: parser
ghsa_unreviewed·2022-05-17
CVE-2013-2877 [MEDIUM] CWE-119 GHSA-fx83-qvvj-7h25: parser
parser.c in libxml2 before 2.9.0, as used in Google Chrome before 28.0.1500.71 and other products, allows remote attackers to cause a denial of service (out-of-bounds read) via a document that ends abruptly, related to the lack of certain checks for the XML_PARSER_EOF state.
GHSA
GHSA-39pv-g7w9-q7vv: Unspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 11
ghsa_unreviewed·2022-05-17·CVSS 4.3
CVE-2015-0386 [MEDIUM] GHSA-39pv-g7w9-q7vv: Unspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 11
Unspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 allows remote attackers to affect availability via unknown vectors related to Web Listener, a different vulnerability than CVE-2013-0338, CVE-2013-2877, and CVE-2014-0191.
OSV
CVE-2013-2877: parser
osv·2013-07-10·CVSS 5.0
CVE-2013-2877 [MEDIUM] CVE-2013-2877: parser
parser.c in libxml2 before 2.9.0, as used in Google Chrome before 28.0.1500.71 and other products, allows remote attackers to cause a denial of service (out-of-bounds read) via a document that ends abruptly, related to the lack of certain checks for the XML_PARSER_EOF state.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2013-2877 libxml2: Out-of-bounds read via a document that ends abruptly
bugzilla·2013-07-10·CVSS 5.0
CVE-2013-2877 [MEDIUM] CVE-2013-2877 libxml2: Out-of-bounds read via a document that ends abruptly
CVE-2013-2877 libxml2: Out-of-bounds read via a document that ends abruptly
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-2877 to the following vulnerability:
parser.c in libxml2 before 2.9.0, as used in Google Chrome before 28.0.1500.71 and other products, allows remote attackers to cause a denial of service (out-of-bounds read) via a document that ends abruptly, related to the lack of certain checks for the XML_PARSER_EOF state.
References:
[1] ftp://xmlsoft.org/libxml2/libxml2-2.9.0.tar.gz
[2] http://git.chromium.org/gitweb/?p=chromium/chromium.git;a=commit;h=e5d7f7e5dc21d3ae7be3cbb949ac4d8701e06de1
[3] http://googlechromereleases.blogspot.com/2013/07/stable-channel-update.html
[4] https://code.google.com/p/chromium/issues/detail?id=229019
Relevant upstream pa
Bugzilla
libxml2: CVE-2013-2877 libxml2: Out-of-bounds read via a document that ends abruptly [fedora-17]
bugzilla·2013-07-10·CVSS 5.0
CVE-2013-2877 [MEDIUM] libxml2: CVE-2013-2877 libxml2: Out-of-bounds read via a document that ends abruptly [fedora-17]
libxml2: CVE-2013-2877 libxml2: Out-of-bounds read via a document that ends abruptly [fedora-17]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
fedora-1
ftp://xmlsoft.org/libxml2/libxml2-2.9.0.tar.gzhttp://git.chromium.org/gitweb/?p=chromium/chromium.git%3Ba=commit%3Bh=e5d7f7e5dc21d3ae7be3cbb949ac4d8701e06de1http://googlechromereleases.blogspot.com/2013/07/stable-channel-update.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-11/msg00002.htmlhttp://lists.opensuse.org/opensuse-updates/2013-07/msg00063.htmlhttp://lists.opensuse.org/opensuse-updates/2013-07/msg00077.htmlhttp://seclists.org/fulldisclosure/2014/Dec/23http://secunia.com/advisories/54172http://secunia.com/advisories/55568http://www.debian.org/security/2013/dsa-2724http://www.debian.org/security/2013/dsa-2779http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.htmlhttp://www.securityfocus.com/archive/1/534161/100/0/threadedhttp://www.securityfocus.com/bid/61050http://www.ubuntu.com/usn/USN-1904-1http://www.ubuntu.com/usn/USN-1904-2http://www.vmware.com/security/advisories/VMSA-2014-0012.htmlhttps://code.google.com/p/chromium/issues/detail?id=229019ftp://xmlsoft.org/libxml2/libxml2-2.9.0.tar.gzhttp://git.chromium.org/gitweb/?p=chromium/chromium.git%3Ba=commit%3Bh=e5d7f7e5dc21d3ae7be3cbb949ac4d8701e06de1http://googlechromereleases.blogspot.com/2013/07/stable-channel-update.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-11/msg00002.htmlhttp://lists.opensuse.org/opensuse-updates/2013-07/msg00063.htmlhttp://lists.opensuse.org/opensuse-updates/2013-07/msg00077.htmlhttp://seclists.org/fulldisclosure/2014/Dec/23http://secunia.com/advisories/54172http://secunia.com/advisories/55568http://www.debian.org/security/2013/dsa-2724http://www.debian.org/security/2013/dsa-2779http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.htmlhttp://www.securityfocus.com/archive/1/534161/100/0/threadedhttp://www.securityfocus.com/bid/61050http://www.ubuntu.com/usn/USN-1904-1http://www.ubuntu.com/usn/USN-1904-2http://www.vmware.com/security/advisories/VMSA-2014-0012.htmlhttps://code.google.com/p/chromium/issues/detail?id=229019
2013-07-10
Published