CVE-2017-7375

CWE-611 — XML External Entity (XXE)15 documents9 sources

Severity

9.8CRITICAL

EPSS

0.3%

top 51.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Xmlsoft Libxml2 Debian Debian Linux Google Android

Timeline

PublishedFeb 19

Latest updateMay 14

Description

A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶Debianlibxml2< 2.9.4+dfsg1-3.1+3

▶Ubuntulibxml2< 2.9.1+dfsg1-3ubuntu4.10+1

▶NVDxmlsoft/libxml22.9.4+1

▶NVDgoogle/android8 versions+7

Also affects: Debian Linux 7.0, 8.0, 9.0

Patches

Patch: android.googlesource.com ↗Patch: bugzilla.redhat.com ↗Patch: git.gnome.org ↗

🔴Vulnerability Details

GHSA

GHSA-ww2p-x466-vpwf: A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i↗2022-05-14

▶

CVEList

CVE-2017-7375: A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i↗2018-02-19

▶

OSV

CVE-2017-7375: A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i↗2018-02-19

▶

OSV

libxml2 vulnerabilities↗2017-09-19

▶

📋Vendor Advisories

Ubuntu

libxml2 vulnerabilities↗2017-10-10

▶

Ubuntu

libxml2 vulnerabilities↗2017-09-19

▶

Android

CVE-2017-7375: Android Security Bulletin 2017-06-01 CVE: CVE-2017-7375 Severity: MEDIUM Type: RCE Affected AOSP versions: 4↗2017-06-01

▶

Red Hat

libxml2: Missing validation for external entities in xmlParsePEReference↗2017-04-17

▶

Debian

CVE-2017-7375: libxml2 - A flaw in libxml2 allows remote XML entity inclusion with default parser flags (...↗2017

▶

💬Community

Bugzilla

CVE-2017-7375 libxml2: Missing validation for external entities in xmlParsePEReference↗2017-06-16

▶

Bugzilla

CVE-2017-0663 CVE-2017-7375 CVE-2017-7376 libxml2: various flaws [fedora-all]↗2017-06-16

▶

Bugzilla

CVE-2017-0663 CVE-2017-7375 CVE-2017-7376 mingw-libxml2: various flaws [fedora-all]↗2017-06-16

▶

Bugzilla

CVE-2017-0663 CVE-2017-7375 CVE-2017-7376 mingw-libxml2: various flaws [epel-7]↗2017-06-16

▶

Bugzilla

CVE-2016-9318 libxml2: XML External Entity vulnerability↗2016-11-16

▶