CVE-2024-25062

CWE-416Use After Free15 documents10 sources
Severity
7.5HIGH
EPSS
0.2%
top 62.45%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Xmlsoft Libxml2
Timeline
PublishedFeb 4
Latest updateOct 15

Description

An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDxmlsoft/libxml22.12.02.12.5+1
Debianlibxml2< 2.9.10+dfsg-6.7+deb11u6+3
RubyGemsnokogiri1.16.01.16.2+1

🔴Vulnerability Details

6
GHSA
Duplicate Advisory: Use-after-free in libxml2 via Nokogiri::XML::Reader2024-03-18
GHSA
Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-250622024-02-05
OSV
Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-250622024-02-05
CVEList
CVE-2024-25062: An issue was discovered in libxml2 before 22024-02-04
OSV
CVE-2024-25062: An issue was discovered in libxml2 before 22024-02-04

📋Vendor Advisories

8
Oracle
Oracle Oracle Communications Risk Matrix: Platform (libxml2) — CVE-2024-250622024-10-15
Oracle
Oracle Oracle Communications Risk Matrix: Install (libxml2) — CVE-2024-250622024-07-15
Oracle
Oracle Oracle Communications Risk Matrix: Observability Services Overlay (libxml2) — CVE-2024-250622024-04-15
Ubuntu
libxml2 vulnerability2024-03-11
Ubuntu
libxml2 vulnerability2024-02-26
CVE-2024-25062 (HIGH CVSS 7.5) | An issue was discovered in libxml2 | cvebase.io