CVE-2017-8872
published 2017-05-10CVE-2017-8872: The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure.
PriorityP338critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
EPSS
2.31%
81.2th percentile
The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libxml2 | < libxml2 2.9.4+dfsg1-6.1 (bookworm) | libxml2 2.9.4+dfsg1-6.1 (bookworm) |
| xmlsoft | libxml2 | — | — |
| xmlsoft | libxml2 | >= 0 < 2.9.4+dfsg1-6.1 | 2.9.4+dfsg1-6.1 |
| xmlsoft | libxml2 | >= 0 < 2.9.4+dfsg1-6.1 | 2.9.4+dfsg1-6.1 |
| xmlsoft | libxml2 | >= 0 < 2.9.4+dfsg1-6.1 | 2.9.4+dfsg1-6.1 |
| xmlsoft | libxml2 | >= 0 < 2.9.4+dfsg1-6.1 | 2.9.4+dfsg1-6.1 |
| xmlsoft | libxml2 | >= 0 < 2.9.4+dfsg1-6.1ubuntu1.4 | 2.9.4+dfsg1-6.1ubuntu1.4 |
| xmlsoft | libxml2 | >= 0 < 2.9.10+dfsg-5ubuntu0.20.04.1 | 2.9.10+dfsg-5ubuntu0.20.04.1 |
| xmlsoft | libxml2 | >= 0 < 2.9.1+dfsg1-3ubuntu4.13+esm2 | 2.9.1+dfsg1-3ubuntu4.13+esm2 |
| xmlsoft | libxml2 | >= 0 < 2.9.3+dfsg1-1ubuntu0.7+esm1 | 2.9.3+dfsg1-1ubuntu0.7+esm1 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:P
osv9.1CRITICAL
vendor_debian9.1CRITICAL
vendor_redhat9.1CRITICAL
vendor_ubuntu9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8hvw-m45w-cr5x: The htmlParseTryOrFinish function in HTMLparser
ghsa_unreviewed·2022-05-13
CVE-2017-8872 [CRITICAL] CWE-125 GHSA-8hvw-m45w-cr5x: The htmlParseTryOrFinish function in HTMLparser
The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure.
OSV
libxml2 vulnerabilities
osv·2021-06-17·CVSS 9.1
CVE-2017-8872 [CRITICAL] libxml2 vulnerabilities
libxml2 vulnerabilities
Yunho Kim discovered that libxml2 incorrectly handled certain error
conditions. A remote attacker could exploit this with a crafted XML file to
cause a denial of service, or possibly cause libxml2 to expose sensitive
information. This issue only affected Ubuntu 14.04 ESM, and Ubuntu 16.04
ESM. (CVE-2017-8872)
Zhipeng Xie discovered that libxml2 incorrectly handled certain XML
schemas. A remote attacker could possibly use this issue to cause a denial
of service. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM,
and Ubuntu 18.04 LTS. (CVE-2019-20388)
It was discovered that libxml2 incorrectly handled invalid UTF-8 input. A
remote attacker could possibly exploit this with a crafted XML file to
cause libxml2 to crash, resulting in a denial of service. This
OSV
CVE-2017-8872: The htmlParseTryOrFinish function in HTMLparser
osv·2017-05-10·CVSS 9.1
CVE-2017-8872 [CRITICAL] CVE-2017-8872: The htmlParseTryOrFinish function in HTMLparser
The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure.
CISA ICS
Hitachi Energy APM Edge (Update A)
cisa_ics·2021-12-02·CVSS 9.1
[CRITICAL] Hitachi Energy APM Edge (Update A)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Hitachi Energy APM Edge (Update A)
Last RevisedOctober 18, 2022
Alert CodeICSA-21-336-06
## 1. EXECUTIVE SUMMARY
- CVSS v3 8.2
- ATTENTION: Low attack complexity
- Vendor: Hitachi Energy
- Equipment: Transformer Asset Performance Management (APM) Edge
- Vulnerability: Reliance on Uncontrolled Component
## 2. UPDATE OR REPOSTED INFORMATION
This updated advisory is a follow-up to the original advisory titled “ICSA-21-336-06 Hitachi Energy APM Edge” that was published December 02, 2021, on the ICS webpage on cisa.gov/ics.
## 3. RISK EVALUATION
Successful exploitation of thi
Ubuntu
libxml2 vulnerabilities
vendor_ubuntu·2021-06-17·CVSS 9.1
CVE-2021-3516 [CRITICAL] libxml2 vulnerabilities
Title: libxml2 vulnerabilities
Summary: Several security issues were fixed in libxml2.
Yunho Kim discovered that libxml2 incorrectly handled certain error
conditions. A remote attacker could exploit this with a crafted XML file to
cause a denial of service, or possibly cause libxml2 to expose sensitive
information. This issue only affected Ubuntu 14.04 ESM, and Ubuntu 16.04
ESM. (CVE-2017-8872)
Zhipeng Xie discovered that libxml2 incorrectly handled certain XML
schemas. A remote attacker could possibly use this issue to cause a denial
of service. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM,
and Ubuntu 18.04 LTS. (CVE-2019-20388)
It was discovered that libxml2 incorrectly handled invalid UTF-8 input. A
remote attacker could possibly exploit this with a crafted XML file t
Debian
CVE-2017-8872: libxml2 - The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attack...
vendor_debian·2017·CVSS 9.1
CVE-2017-8872 [CRITICAL] CVE-2017-8872: libxml2 - The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attack...
The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure.
Scope: local
bookworm: resolved (fixed in 2.9.4+dfsg1-6.1)
bullseye: resolved (fixed in 2.9.4+dfsg1-6.1)
forky: resolved (fixed in 2.9.4+dfsg1-6.1)
sid: resolved (fixed in 2.9.4+dfsg1-6.1)
trixie: resolved (fixed in 2.9.4+dfsg1-6.1)
Red Hat
libxml2: Out-of-bounds read in htmlParseTryOrFinish
vendor_redhat·2016-11-28·CVSS 9.1
CVE-2017-8872 [CRITICAL] CWE-125 libxml2: Out-of-bounds read in htmlParseTryOrFinish
libxml2: Out-of-bounds read in htmlParseTryOrFinish
The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure.
Package: libxml2 (Red Hat Enterprise Linux 5) - Will not fix
Package: libxml2 (Red Hat Enterprise Linux 6) - Will not fix
Package: libxml2 (Red Hat Enterprise Linux 7) - Will not fix
Package: mingw-virt-viewer (Red Hat Enterprise Virtualization 3) - Will not fix
Package: libxml2 (Red Hat JBoss Web Server 3) - Will not fix
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-8872 libxml2: Out-of-bounds read in htmlParseTryOrFinish
bugzilla·2017-05-10·CVSS 9.1
CVE-2017-8872 [CRITICAL] CVE-2017-8872 libxml2: Out-of-bounds read in htmlParseTryOrFinish
CVE-2017-8872 libxml2: Out-of-bounds read in htmlParseTryOrFinish
The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure.
Upstream bug:
https://bugzilla.gnome.org/show_bug.cgi?id=775200
Discussion:
Created libxml2 tracking bugs for this issue:
Affects: fedora-all [bug 1449544]
Created mingw-libxml2 tracking bugs for this issue:
Affects: epel-7 [bug 1449543]
Affects: fedora-all [bug 1449545]
Bugzilla
CVE-2017-8872 mingw-libxml2: libxml2: Out-of-bounds read in htmlParseTryOrFinish [epel-7]
bugzilla·2017-05-10·CVSS 9.1
CVE-2017-8872 [CRITICAL] CVE-2017-8872 mingw-libxml2: libxml2: Out-of-bounds read in htmlParseTryOrFinish [epel-7]
CVE-2017-8872 mingw-libxml2: libxml2: Out-of-bounds read in htmlParseTryOrFinish [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to f
Bugzilla
CVE-2017-8872 mingw-libxml2: libxml2: Out-of-bounds read in htmlParseTryOrFinish [fedora-all]
bugzilla·2017-05-10·CVSS 9.1
CVE-2017-8872 [CRITICAL] CVE-2017-8872 mingw-libxml2: libxml2: Out-of-bounds read in htmlParseTryOrFinish [fedora-all]
CVE-2017-8872 mingw-libxml2: libxml2: Out-of-bounds read in htmlParseTryOrFinish [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple su
Bugzilla
CVE-2017-8872 libxml2: Out-of-bounds read in htmlParseTryOrFinish [fedora-all]
bugzilla·2017-05-10·CVSS 9.1
CVE-2017-8872 [CRITICAL] CVE-2017-8872 libxml2: Out-of-bounds read in htmlParseTryOrFinish [fedora-all]
CVE-2017-8872 libxml2: Out-of-bounds read in htmlParseTryOrFinish [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported version
2017-05-10
Published