CVE-2014-3660

CWE-400 — Uncontrolled Resource Consumption13 documents10 sources

Severity

5.0MEDIUM

EPSS

4.3%

top 11.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple MAC OS X Xmlsoft Libxml2 Canonical Ubuntu Linux +2 more

Timeline

PublishedNov 4

Latest updateMay 17

Description

parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the "billion laughs" attack.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶Debianlibxml2< 2.9.2+dfsg1-1+3

▶NVDxmlsoft/libxml22.9.1+107

▶NVDapple/mac_os_x10.10.4

Also affects: Debian Linux 7.0, Ubuntu Linux 10.04, 12.04, 14.04, Enterprise Linux 5.0

Patches

Patch: www.openwall.com ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

GHSA

GHSA-xrph-4qjj-gj25: parser↗2022-05-17

▶

GHSA

Nokogiri subject to DoS via libxml2 vulnerability↗2018-08-21

▶

CVEList

CVE-2014-3660: parser↗2014-11-04

▶

OSV

CVE-2014-3660: parser↗2014-11-04

▶

📋Vendor Advisories

Red Hat

libxml2: CPU exhaustion when processing specially crafted XML input↗2015-12-01

▶

Ubuntu

libxml2 vulnerability↗2014-10-27

▶

Red Hat

libxml2: denial of service via recursive entity expansion↗2014-10-16

▶

Debian

CVE-2014-3660: libxml2 - parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even...↗2014

▶

Apple

CVE-2014-3660: iOS 8.4.1↗

▶

💬Community

Bugzilla

CVE-2014-3660 libxml2: denial of service via recursive entity expansion↗2014-10-03

▶