CVE-2015-1819 — XML Entity Expansion in Nokogiri

CWE-399 CWE-776 — XML Entity Expansion18 documents9 sources

Severity

5.0MEDIUMNVD

EPSS

1.9%

top 16.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Xmlsoft Libxml2 Nokogiri Apple Iphone OS +10 more

Timeline

PublishedAug 14

Latest updateAug 8

Description

The xmlreader in libxml allows remote attackers to cause a denial of service (memory consumption) via crafted XML data, related to an XML Entity Expansion (XEE) attack.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages11 packages

▶Debianxmlsoft/libxml2< 2.9.2+really2.9.1+dfsg1-0.1+3

▶Ubuntuxmlsoft/libxml2< 2.9.1+dfsg1-3ubuntu4.5

▶RubyGemsnokogiri/nokogiri1.6.6.0 — 1.6.6.4

▶NVDapple/tvos9.1

▶NVDapple/watchos2.1

Also affects: Debian Linux 7.0, 8.0, Fedora 22, 23, Ubuntu Linux 12.04, 14.04, 15.04

Patches

Patch: git.gnome.org ↗Patch: git.gnome.org ↗

🔴Vulnerability Details

GHSA

Nokogiri vulnerable to libxml XML Entity Expansion↗2018-08-08

▶

OSV

Nokogiri vulnerable to libxml XML Entity Expansion↗2018-08-08

▶

OSV

libxml2 vulnerabilities↗2015-11-16

▶

CVEList

CVE-2015-1819: The xmlreader in libxml allows remote attackers to cause a denial of service (memory consumption) via crafted XML data, related to an XML Entity Expan↗2015-08-14

▶

OSV

CVE-2015-1819: The xmlreader in libxml allows remote attackers to cause a denial of service (memory consumption) via crafted XML data, related to an XML Entity Expan↗2015-08-14

▶

📋Vendor Advisories

Ubuntu

libxml2 vulnerabilities↗2015-11-16

▶

Red Hat

libxml2: denial of service processing a crafted XML document↗2015-04-14

▶

Debian

CVE-2015-1819: libxml2 - The xmlreader in libxml allows remote attackers to cause a denial of service (me...↗2015

▶

Apple

CVE-2015-5312: watchOS 2.2↗

▶

Apple

CVE-2015-1819: iOS 9.3↗

▶

💬Community

Bugzilla

CVE-2015-1819 libxml2: denial of service processing a crafted XML document↗2015-04-13

▶