CVE-2023-28484

CWE-476 — NULL Pointer Dereference CWE-20 — Improper Input Validation15 documents10 sources

Severity

6.5MEDIUM

EPSS

0.2%

top 51.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Xmlsoft Libxml2 Debian Debian Linux

Timeline

PublishedApr 24

Latest updateJan 15

Description

In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶NVDxmlsoft/libxml2< 2.10.4

▶Debianlibxml2< 2.9.10+dfsg-6.7+deb11u4+3

▶Ubuntulibxml2< 2.9.4+dfsg1-6.1ubuntu1.9+4

▶RubyGemsnokogiri< 1.14.3

Also affects: Debian Linux 10.0

Patches

Patch: gitlab.gnome.org ↗Patch: gitlab.gnome.org ↗

🔴Vulnerability Details

GHSA

GHSA-7cv2-wjgm-j7rm: In libxml2 before 2↗2023-04-24

▶

OSV

CVE-2023-28484: In libxml2 before 2↗2023-04-24

▶

CVEList

CVE-2023-28484: In libxml2 before 2↗2023-04-24

▶

OSV

libxml2 vulnerabilities↗2023-04-19

▶

OSV

Nokogiri updates packaged libxml2 to v2.10.4 to resolve multiple CVEs↗2023-04-11

▶

📋Vendor Advisories

Oracle

Oracle Oracle MySQL Risk Matrix: Cluster: General (libxml2) — CVE-2023-28484↗2024-01-15

▶

Oracle

Oracle Oracle Communications Risk Matrix: Install/Upgrade (libxml2) — CVE-2023-28484↗2023-10-15

▶

Oracle

Oracle Oracle Communications Risk Matrix: Install/Upgrade (libxml2) — CVE-2023-28484↗2023-07-15

▶

Ubuntu

libxml2 vulnerabilities↗2023-06-07

▶

Ubuntu

libxml2 vulnerabilities↗2023-04-19

▶