CVE-2024-25062
published 2024-02-04CVE-2024-25062: An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion…
PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.38%
68.6th percentile
An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libxml2 | < libxml2 2.9.14+dfsg-1.3~deb12u2 (bookworm) | libxml2 2.9.14+dfsg-1.3~deb12u2 (bookworm) |
| msrc | azl3_libxml2_2.11.5-4_on_azure_linux_3.0 | — | — |
| msrc | azl3_libxml2_2.11.5-5_on_azure_linux_3.0 | — | — |
| msrc | cbl2_libxml2_2.10.4-4_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_libxml2_2.10.4-6_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| nokogiri | nokogiri | >= 0 < 1.15.6 | 1.15.6 |
| nokogiri | nokogiri | >= 1.16.0 < 1.16.2 | 1.16.2 |
| xmlsoft | libxml2 | < 2.11.7 | 2.11.7 |
| xmlsoft | libxml2 | >= 0 < 2.9.10+dfsg-6.7+deb11u6 | 2.9.10+dfsg-6.7+deb11u6 |
| xmlsoft | libxml2 | >= 0 < 2.9.14+dfsg-1.3~deb12u2 | 2.9.14+dfsg-1.3~deb12u2 |
| xmlsoft | libxml2 | >= 0 < 2.12.7+dfsg+really2.9.14-1 | 2.12.7+dfsg+really2.9.14-1 |
| xmlsoft | libxml2 | >= 0 < 2.12.7+dfsg+really2.9.14-1 | 2.12.7+dfsg+really2.9.14-1 |
| xmlsoft | libxml2 | >= 2.12.0 < 2.12.5 | 2.12.5 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa7.5HIGH
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_oracle7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Oracle
Oracle Oracle Communications Risk Matrix: Platform (libxml2) — CVE-2024-25062
vendor_oracle·2024-10-15·CVSS 7.5
CVE-2024-25062 [HIGH] Oracle Oracle Communications Risk Matrix: Platform (libxml2) — CVE-2024-25062
Oracle Oracle Communications Risk Matrix: Platform (libxml2) vulnerability
CVE: CVE-2024-25062
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuoct2024 (OCT 2024)
CISA ICS
Siemens SINEC NMS
cisa_ics·2024-08-15·CVSS 7.0
[HIGH] Siemens SINEC NMS
ICS Advisory
##
Siemens SINEC NMS
Release DateAugust 15, 2024
Alert CodeICSA-24-228-06
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 9.4
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SINEC NMS
- Vulnerabilities: Use After Free, Improper Input Validation, Deserialization of Untrusted Data, Improper Restriction of Operations
Oracle
Oracle Oracle Communications Risk Matrix: Install (libxml2) — CVE-2024-25062
vendor_oracle·2024-07-15·CVSS 7.5
CVE-2024-25062 [HIGH] Oracle Oracle Communications Risk Matrix: Install (libxml2) — CVE-2024-25062
Oracle Oracle Communications Risk Matrix: Install (libxml2) vulnerability
CVE: CVE-2024-25062
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2024 (JUL 2024)
Oracle
Oracle Oracle Communications Risk Matrix: Observability Services Overlay (libxml2) — CVE-2024-25062
vendor_oracle·2024-04-15·CVSS 7.5
CVE-2024-25062 [HIGH] Oracle Oracle Communications Risk Matrix: Observability Services Overlay (libxml2) — CVE-2024-25062
Oracle Oracle Communications Risk Matrix: Observability Services Overlay (libxml2) vulnerability
CVE: CVE-2024-25062
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2024 (APR 2024)
Ubuntu
libxml2 vulnerability
vendor_ubuntu·2024-03-11
CVE-2024-25062 libxml2 vulnerability
Title: libxml2 vulnerability
Summary: libxml2 could be made to crash or run programs if it opened a specially
crafted file.
USN-6658-1 fixed a vulnerability in libxml2. This update
provides the corresponding updates for Ubuntu 14.04 LTS,
Ubuntu 16.04 LTS, and Ubuntu 18.04 LTS.
Original advisory details:
It was discovered that libxml2 incorrectly handled certain XML documents. A
remote attacker could possibly use this issue to cause libxml2 to crash,
resulting in a denial of service, or possibly execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
libxml2 vulnerability
vendor_ubuntu·2024-02-26
CVE-2024-25062 libxml2 vulnerability
Title: libxml2 vulnerability
Summary: libxml2 could be made to crash or run programs if it opened a specially
crafted file.
It was discovered that libxml2 incorrectly handled certain XML documents. A
remote attacker could possibly use this issue to cause libxml2 to crash,
resulting in a denial of service, or possibly execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Microsoft
An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled processing crafted XML documents can l
vendor_msrc·2024-02-13·CVSS 7.5
CVE-2024-25062 [HIGH] CWE-416 An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled processing crafted XML documents can l
An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additi
Red Hat
libxml2: use-after-free in XMLReader
vendor_redhat·2024-02-04·CVSS 7.5
CVE-2024-25062 [HIGH] CWE-416 libxml2: use-after-free in XMLReader
libxml2: use-after-free in XMLReader
An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.
A use-after-free flaw was found in libxml2. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.
Statement: The severity of this vulnerability is not important but moderate due to the lack of impact to both confidentiality and integrity, but potential impact to availability. The theoretical risk of impact to availability is limited due to the specific requirement that applications must c
Debian
CVE-2024-25062: libxml2 - An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When ...
vendor_debian·2024·CVSS 7.5
CVE-2024-25062 [HIGH] CVE-2024-25062: libxml2 - An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When ...
An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.
Scope: local
bookworm: resolved (fixed in 2.9.14+dfsg-1.3~deb12u2)
bullseye: resolved (fixed in 2.9.10+dfsg-6.7+deb11u6)
forky: resolved (fixed in 2.12.7+dfsg+really2.9.14-1)
sid: resolved (fixed in 2.12.7+dfsg+really2.9.14-1)
trixie: resolved (fixed in 2.12.7+dfsg+really2.9.14-1)
GHSA
Duplicate Advisory: Use-after-free in libxml2 via Nokogiri::XML::Reader
ghsa·2024-03-18·CVSS 7.5
[HIGH] CWE-416 Duplicate Advisory: Use-after-free in libxml2 via Nokogiri::XML::Reader
Duplicate Advisory: Use-after-free in libxml2 via Nokogiri::XML::Reader
# Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-xc9x-jj77-9p9j. This link is maintained to preserve external references.
# Original Description
### Summary
Nokogiri upgrades its dependency libxml2 as follows:
- v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6
- v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4
libxml2 v2.11.7 and v2.12.5 address the following vulnerability:
CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
- patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970
Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only
OSV
Duplicate Advisory: Use-after-free in libxml2 via Nokogiri::XML::Reader
osv·2024-03-18·CVSS 7.5
[HIGH] Duplicate Advisory: Use-after-free in libxml2 via Nokogiri::XML::Reader
Duplicate Advisory: Use-after-free in libxml2 via Nokogiri::XML::Reader
# Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-xc9x-jj77-9p9j. This link is maintained to preserve external references.
# Original Description
### Summary
Nokogiri upgrades its dependency libxml2 as follows:
- v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6
- v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4
libxml2 v2.11.7 and v2.12.5 address the following vulnerability:
CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
- patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970
Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only
GHSA
Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062
ghsa·2024-02-05·CVSS 7.5
CVE-2024-25062 [HIGH] CWE-416 Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062
Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062
## Summary
Nokogiri upgrades its dependency libxml2 as follows:
- Nokogiri v1.15.6 upgrades libxml2 to [2.11.7](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.7) from 2.11.6
- Nokogiri v1.16.2 upgrades libxml2 to [2.12.5](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.5) from 2.12.4
libxml2 v2.11.7 and v2.12.5 address the following vulnerability:
- CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
- patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970
Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the _packaged_ libraries are being used. If
OSV
Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062
osv·2024-02-05·CVSS 7.5
CVE-2024-25062 [HIGH] Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062
Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062
## Summary
Nokogiri upgrades its dependency libxml2 as follows:
- Nokogiri v1.15.6 upgrades libxml2 to [2.11.7](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.7) from 2.11.6
- Nokogiri v1.16.2 upgrades libxml2 to [2.12.5](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.5) from 2.12.4
libxml2 v2.11.7 and v2.12.5 address the following vulnerability:
- CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
- patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970
Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the _packaged_ libraries are being used. If
OSV
CVE-2024-25062: An issue was discovered in libxml2 before 2
osv·2024-02-04·CVSS 7.5
CVE-2024-25062 [HIGH] CVE-2024-25062: An issue was discovered in libxml2 before 2
An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.
GHSA
GHSA-x77r-6xxm-wjmx: An issue was discovered in libxml2 before 2
ghsa_unreviewed·2024-02-04
CVE-2024-25062 [HIGH] CWE-416 GHSA-x77r-6xxm-wjmx: An issue was discovered in libxml2 before 2
An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.
No detection rules found.
No public exploits indexed.
https://gitlab.gnome.org/GNOME/libxml2/-/issues/604https://gitlab.gnome.org/GNOME/libxml2/-/tagshttps://gitlab.gnome.org/GNOME/libxml2/-/issues/604https://gitlab.gnome.org/GNOME/libxml2/-/tagshttps://lists.debian.org/debian-lts-announce/2025/02/msg00028.htmlhttps://security.netapp.com/advisory/ntap-20241018-0009/
2024-02-04
Published