CVE-2017-9233 — XML External Entity (XXE) Injection in Project Libexpat

CWE-611 — XML External Entity (XXE) Injection CWE-835 — Infinite Loop39 documents9 sources

Severity

7.5HIGHNVD

EPSS

0.3%

top 51.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Libexpat Project Libexpat Debian Linux

Timeline

PublishedJul 25

Latest updateMay 13

Description

XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDlibexpat_project/libexpat2.2.0

▶NVDpython/python2.7.0 — 2.7.15+4

Also affects: Debian Linux 10.0, 8.0, 9.0

🔴Vulnerability Details

GHSA

GHSA-6j8w-m4cc-r7hm: XML External Entity vulnerability in libexpat 2↗2022-05-13

▶

OSV

CVE-2017-9233: XML External Entity vulnerability in libexpat 2↗2017-07-25

▶

CVEList

CVE-2017-9233: XML External Entity vulnerability in libexpat 2↗2017-07-25

▶

📋Vendor Advisories

Ubuntu

Coin3D vulnerability↗2021-03-15

▶

Apple

CVE-2017-9049: macOS High Sierra 10.13↗2017-09-25

▶

Apple

CVE-2018-4302: macOS High Sierra 10.13↗2017-09-25

▶

Apple

CVE-2017-5130: macOS High Sierra 10.13↗2017-09-25

▶

Apple

CVE-2017-9233: macOS High Sierra 10.13↗2017-09-25

▶

💬Community

Bugzilla

CVE-2017-9233 expat21: expat: Inifinite loop due to invalid XML in external entity [epel-all]↗2017-06-19

▶

Bugzilla

CVE-2017-9233 expat: Inifinite loop due to invalid XML in external entity [fedora-all]↗2017-06-19

▶

Bugzilla

CVE-2017-9233 mingw-expat: expat: Inifinite loop due to invalid XML in external entity [epel-7]↗2017-06-19

▶

Bugzilla

CVE-2017-9233 compat-expat1: expat: Inifinite loop due to invalid XML in external entity [fedora-all]↗2017-06-19

▶

Bugzilla

CVE-2017-9233 expat: Inifinite loop due to invalid XML in external entity↗2017-06-19

▶