CVE-2022-40304

CWE-415CWE-611XML External Entity (XXE)23 documents12 sources
Severity
7.8HIGH
EPSS
0.2%
top 55.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Apple IpadosApple Iphone OSApple Macos+3 more
Timeline
PublishedNov 23
Latest updateApr 15

Description

An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages8 packages

NVDxmlsoft/libxml2< 2.10.3
Debianlibxml2< 2.9.10+dfsg-6.7+deb11u3+3
RubyGemsnokogiri< 1.13.9
NVDapple/tvos< 16.2
NVDapple/macos11.011.7.2+1

Patches

Patch: gitlab.gnome.orgPatch: gitlab.gnome.orgPatch: gitlab.gnome.org

🔴Vulnerability Details

8
OSV
libxml2 vulnerabilities2022-12-05
OSV
libxml2 vulnerabilities2022-12-05
OSV
CVE-2022-40304: An issue was discovered in libxml2 before 22022-11-23
GHSA
GHSA-g848-pppp-vg6f: An issue was discovered in libxml2 before 22022-11-23
CVEList
CVE-2022-40304: An issue was discovered in libxml2 before 22022-11-23

📋Vendor Advisories

14
Oracle
Oracle Oracle Communications Risk Matrix: Install/Upgrade (libxml2) — CVE-2022-403042023-04-15
Oracle
Oracle Oracle Communications Risk Matrix: Oracle Linux (libxml2) — CVE-2022-403042023-01-15
Apple
CVE-2022-40304: macOS Big Sur 11.7.22022-12-13
Apple
CVE-2022-40304: tvOS16.22022-12-13
Apple
CVE-2022-40304: iOS 15.7.2 and iPadOS 15.7.22022-12-13
CVE-2022-40304 (HIGH CVSS 7.8) | An issue was discovered in libxml2 | cvebase.io