CVE-2014-3660
published 2014-11-04CVE-2014-3660: parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent…
medium5CVSS 3.1
AVNACLAuNCNINAP
parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the "billion laughs" attack.
Affected
147 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | apple_tv | — | — |
| apple | ios | — | — |
| apple | iphone_os | <= 9.2.1 | — |
| apple | mac_os_x | <= 10.10.4 | — |
| apple | mac_os_x | <= 10.11.3 | — |
| apple | os_x_yosemite_v10.10.5_and_security_update_2015-006 | — | — |
| apple | tvos | <= 9.1 | — |
| apple | watchos | <= 2.1 | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | libxml2 | < libxml2 2.9.3+dfsg1-1 (bookworm) | libxml2 2.9.3+dfsg1-1 (bookworm) |
| debian | libxml2 | < libxml2 2.9.2+dfsg1-1 (bookworm) | libxml2 2.9.2+dfsg1-1 (bookworm) |
| hp | icewall_federation_agent | — | — |
| hp | icewall_file_manager | — | — |
| nokogiri | nokogiri | >= 1.6.0 < 1.6.7.1 | 1.6.7.1 |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_hpc_node | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_workstation | — | — |
CVSS provenance
nvd7.1HIGHAV:N/AC:M/Au:N/C:N/I:N/A:C
ghsa5.0MEDIUM
osv5.0MEDIUM