CVE-2022-23990

CWE-190 — Integer Overflow11 documents10 sources

Severity

7.5HIGH

EPSS

3.5%

top 12.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Platform External/expat Libexpat Project Libexpat Siemens Sinema Remote Connect Server +4 more

Timeline

PublishedJan 26

Latest updateSep 1

Description

Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages6 packages

▶NVDlibexpat_project/libexpat< 2.4.4

▶Androidplatform/external/expat10:0 — 10:2022-09-01+3

▶Debianexpat< 2.2.10-2+deb11u1+3

▶NVDtenable/nessus10.0.0 — 10.1.1+1

▶NVDsiemens/sinema_remote_connect_server< 3.1

Also affects: Debian Linux 10.0, 11.0, Fedora 34, 35

Patches

Patch: cert-portal.siemens.com ↗Patch: github.com ↗Patch: cert-portal.siemens.com ↗

🔴Vulnerability Details

OSV

CVE-2022-23990: In closeString of xmlparse↗2022-09-01

▶

GHSA

GHSA-r3g2-gw56-v728: Expat (aka libexpat) before 2↗2022-02-10

▶

OSV

CVE-2022-23990: Expat (aka libexpat) before 2↗2022-01-26

▶

CVEList

CVE-2022-23990: Expat (aka libexpat) before 2↗2022-01-26

▶

📋Vendor Advisories

Android

CVE-2022-23990: Android Security Bulletin 2022-09-01 CVE: CVE-2022-23990 Severity: HIGH Type: EoP Affected AOSP versions: 10, 11, 12, 12L References: A-221256678↗2022-09-01

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: User Interface (LibExpat) — CVE-2022-23990↗2022-04-15

▶

Ubuntu

Expat vulnerabilities↗2022-02-21

▶

Red Hat

expat: integer overflow in the doProlog function↗2022-01-26

▶

Microsoft

Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.↗2022-01-11

▶