CVE-2015-5312

CWE-399 CWE-400 — Uncontrolled Resource Consumption14 documents9 sources

Severity

7.1HIGH

EPSS

1.0%

top 23.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple Iphone OS Apple MAC OS X Apple Tvos +10 more

Timeline

PublishedDec 15

Latest updateAug 21

Description

The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660.

CVSS vector

AV:N/AC:M/C:N/I:N/A:CExploitability: 8.6 | Impact: 6.9

Affected Packages14 packages

▶Debianlibxml2< 2.9.3+dfsg1-1+3

▶Ubuntulibxml2< 2.9.1+dfsg1-3ubuntu4.6

▶NVDxmlsoft/libxml22.9.2

▶RubyGemsnokogiri1.6.0 — 1.6.7.1

▶NVDapple/tvos9.1

Also affects: Debian Linux 7.0, 8.0, Ubuntu Linux 12.04, 14.04, 15.04, 15.10

🔴Vulnerability Details

OSV

Nokogiri subject to DoS via libxml2 vulnerability↗2018-08-21

▶

GHSA

Nokogiri subject to DoS via libxml2 vulnerability↗2018-08-21

▶

OSV

CVE-2015-5312: The xmlStringLenDecodeEntities function in parser↗2015-12-15

▶

CVEList

CVE-2015-5312: The xmlStringLenDecodeEntities function in parser↗2015-12-15

▶

OSV

libxml2 vulnerabilities↗2015-12-14

▶

📋Vendor Advisories

Ubuntu

libxml2 vulnerabilities↗2015-12-14

▶

Red Hat

libxml2: CPU exhaustion when processing specially crafted XML input↗2015-12-01

▶

Debian

CVE-2015-5312: libxml2 - The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 does...↗2015

▶

Apple

CVE-2015-5312: watchOS 2.2↗

▶

Apple

CVE-2015-5312: iOS 9.3↗

▶

💬Community

Bugzilla

CVE-2015-5312 libxml2: CPU exhaustion when processing specially crafted XML input↗2015-10-30

▶