CVE-2017-18258

CWE-770Allocation without LimitsCWE-400Uncontrolled Resource Consumption12 documents8 sources
Severity
6.5MEDIUM
EPSS
0.8%
top 26.13%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Xmlsoft Libxml2
Timeline
PublishedApr 8
Latest updateAug 14

Description

The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

NVDxmlsoft/libxml2< 2.9.6
Debianlibxml2< 2.9.10+dfsg-2+3
RubyGemsnokogiri< 1.8.2

Patches

Patch: git.gnome.orgPatch: git.gnome.org

🔴Vulnerability Details

5
OSV
libxml2 vulnerabilities2018-08-14
GHSA
Uncontrolled resource consumption in nokogiri2018-04-13
OSV
Uncontrolled resource consumption in nokogiri2018-04-13
CVEList
CVE-2017-18258: The xz_head function in xzlib2018-04-08
OSV
CVE-2017-18258: The xz_head function in xzlib2018-04-08

📋Vendor Advisories

3
Ubuntu
libxml2 vulnerabilities2018-08-14
Red Hat
libxml2: Unrestricted memory usage in xz_head() function in xzlib.c2017-09-07
Debian
CVE-2017-18258: libxml2 - The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers ...2017

💬Community

3
Bugzilla
CVE-2017-18258 mingw-libxml2: libxml2: denial of service in xz_head function in xzlib.c [fedora-all]2018-04-12
Bugzilla
CVE-2017-18258 libxml2: Unrestricted memory usage in xz_head() function in xzlib.c2018-04-12
Bugzilla
CVE-2017-18258 mingw-libxml2: libxml2: denial of service in xz_head function in xzlib.c [epel-7]2018-04-12
CVE-2017-18258 (MEDIUM CVSS 6.5) | The xz_head function in xzlib.c in | cvebase.io