CVE-2023-34411XML External Entity (XXE) Injection in Rust-xml-rs

CWE-611XML External Entity (XXE) InjectionCWE-617Reachable Assertion6 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 66.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
9
XML Library Project XML LibraryDebian Rust-xml-rsMsrc Azl3 Mozjs 102.15.1-1 ON Azure Linux 3.0+6 more
Timeline
PublishedJun 5
Latest updateJun 13

Description

The xml-rs crate before 0.8.14 for Rust and Crab allows a denial of service (panic) via an invalid <! token (such as <!DOCTYPEs/%<!A nesting) in an XML document. The earliest affected version is 0.8.9.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages9 packages

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
xml-rs vulnerable to denial of service via invalid token in XML document2023-06-05
OSV
CVE-2023-34411: The xml-rs crate before 02023-06-05
GHSA
xml-rs vulnerable to denial of service via invalid token in XML document2023-06-05

📋Vendor Advisories

2
Microsoft
The xml-rs crate before 0.8.14 for Rust and Crab allows a denial of service (panic) via an invalid <! token (such as <!DOCTYPEs/%<!A nesting) in an XML document. The earliest affected version is 0.8.92023-06-13
Debian
CVE-2023-34411: rust-xml-rs - The xml-rs crate before 0.8.14 for Rust and Crab allows a denial of service (pan...2023
CVE-2023-34411 — XML External Entity (XXE) Injection | cvebase