CVE-2023-39615

CWE-119 — Buffer Overflow6 documents6 sources

Severity

6.5MEDIUM

EPSS

0.1%

top 69.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Xmlsoft Libxml2

Timeline

PublishedAug 29

Description

Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file. NOTE: the vendor's position is that the product does not support the legacy SAX1 interface with custom callbacks; there is a crash even without crafted input.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDxmlsoft/libxml22.11.0

▶Debianlibxml2< 2.9.10+dfsg-6.7+deb11u6+3

Patches

Patch: gitlab.gnome.org ↗Patch: gitlab.gnome.org ↗

🔴Vulnerability Details

OSV

CVE-2023-39615: Xmlsoft Libxml2 v2↗2023-08-29

▶

GHSA

GHSA-9fj4-8443-vg2m: Xmlsoft Libxml2 v2↗2023-08-29

▶

CVEList

CVE-2023-39615: Xmlsoft Libxml2 v2↗2023-08-29

▶

📋Vendor Advisories

Red Hat

libxml2: crafted xml can cause global buffer overflow↗2023-08-29

▶

Debian

CVE-2023-39615: libxml2 - Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the ...↗2023

▶