cbcvebase.
CVE-2023-39615
published 2023-08-29

CVE-2023-39615: Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows…

PriorityP425medium6.5CVSS 3.1
AVNACLPRNUIRSUCNINAH
EPSS
0.67%
47.3th percentile
Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file. NOTE: the vendor's position is that the product does not support the legacy SAX1 interface with custom callbacks; there is a crash even without crafted input.

Affected

6 ranges
VendorProductVersion rangeFixed in
debianlibxml2< libxml2 2.9.14+dfsg-1.3~deb12u2 (bookworm)libxml2 2.9.14+dfsg-1.3~deb12u2 (bookworm)
xmlsoftlibxml2
xmlsoftlibxml2>= 0 < 2.9.10+dfsg-6.7+deb11u62.9.10+dfsg-6.7+deb11u6
xmlsoftlibxml2>= 0 < 2.9.14+dfsg-1.3~deb12u22.9.14+dfsg-1.3~deb12u2
xmlsoftlibxml2>= 0 < 2.12.7+dfsg+really2.9.14-12.12.7+dfsg+really2.9.14-1
xmlsoftlibxml2>= 0 < 2.12.7+dfsg+really2.9.14-12.12.7+dfsg+really2.9.14-1

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.