CVE-2017-16931

CWE-119Buffer OverflowCWE-776XML Entity Expansion (Billion Laughs)13 documents8 sources
Severity
9.8CRITICAL
EPSS
1.7%
top 17.99%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Xmlsoft Libxml2
Timeline
PublishedNov 23
Latest updateMay 13

Description

parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a '%' character in a DTD name.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

Debianlibxml2< 2.9.4+dfsg1-3.1+3
NVDxmlsoft/libxml22.9.4

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
GHSA-7mr2-r9fx-7j9m: parser2022-05-13
CVEList
CVE-2017-16931: parser2017-11-23
OSV
CVE-2017-16931: parser2017-11-23

📋Vendor Advisories

3
Oracle
Oracle Oracle Systems Risk Matrix: XCP Firmware (libxml2) — CVE-2017-169312021-07-15
Red Hat
libxml2: Mishandling parameter-entity references2017-06-05
Debian
CVE-2017-16931: libxml2 - parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because ...2017

💬Community

6
Bugzilla
CVE-2017-16931 mingw-libxml2: libxml2: Mishandling parameter-entity references [fedora-all]2017-11-24
Bugzilla
CVE-2017-16931 libxml2: Mishandling parameter-entity references2017-11-24
Bugzilla
CVE-2017-16931 rubygem-nokogiri: libxml2: Mishandling parameter-entity references [epel-all]2017-11-24
Bugzilla
CVE-2017-16931 mingw-libxml2: libxml2: Mishandling parameter-entity references [epel-7]2017-11-24
Bugzilla
CVE-2017-16931 rubygem-nokogiri: libxml2: Mishandling parameter-entity references [fedora-all]2017-11-24
CVE-2017-16931 (CRITICAL CVSS 9.8) | parser.c in libxml2 before 2.9.5 mi | cvebase.io