CVE-2024-23807

CWE-416Use After Free12 documents7 sources
Severity
9.8CRITICAL
EPSS
0.5%
top 34.09%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache Xerces C++Apache Xerces-c\+\+
Timeline
PublishedFeb 29
Latest updateJan 15

Description

The Apache Xerces C++ XML parser on versions 3.0.0 before 3.2.5 contains a use-after-free error triggered during the scanning of external DTDs. Users are recommended to upgrade to version 3.2.5 which fixes the issue, or mitigate the issue by disabling DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable. This issue has been disclosed before as CVE-2018-1311, but unfortunately that advisory incorrectly

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

NVDapache/xerces-c\+\+3.0.03.2.5
Ubuntuxerces-c< 3.2.3+debian-3ubuntu0.1+3

Patches

Patch: github.comPatch: lists.apache.orgPatch: github.com

🔴Vulnerability Details

3
GHSA
GHSA-8582-h585-f568: The Apache Xerces C++ XML parser on versions 32024-02-29
OSV
CVE-2024-23807: The Apache Xerces C++ XML parser on versions 32024-02-29
CVEList
Apache Xerces C++: Use-after-free on external DTD scan2024-02-28

📋Vendor Advisories

8
Oracle
Oracle Oracle Siebel CRM Risk Matrix: EAI (Apache Xerces-C++) — CVE-2024-238072026-01-15
Oracle
Oracle Oracle Hyperion Risk Matrix: Security (Apache Xerces-C++) — CVE-2024-238072025-10-15
Oracle
Oracle Oracle JD Edwards Risk Matrix: Interoperability SEC (Apache Xerces-C++) — CVE-2024-238072025-04-15
Oracle
Oracle Oracle Supply Chain Risk Matrix: Core (Apache Xerces-C++) — CVE-2024-238072025-01-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: Common functions (Apache Xerces-C++) — CVE-2024-238072024-10-15
CVE-2024-23807 (CRITICAL CVSS 9.8) | The Apache Xerces C++ XML parser on | cvebase.io