Libexpat Project Libexpat vulnerabilities

CVE-2022-25235 [CRITICAL] CWE-116 CVE-2022-25235: xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as che xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.

CVE-2022-25236 [CRITICAL] CWE-668 CVE-2022-25236: xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator chara xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.

CVE-2022-23990 [HIGH] CWE-190 CVE-2022-23990: Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function. Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.

CVE-2022-23852 [CRITICAL] CWE-190 CVE-2022-23852: Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.

CVE-2022-22823 [CRITICAL] CWE-190 CVE-2022-22823: build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

CVE-2022-22822 [CRITICAL] CWE-190 CVE-2022-22822: addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

CVE-2022-22824 [CRITICAL] CWE-190 CVE-2022-22824: defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

CVE-2022-22826 [HIGH] CWE-190 CVE-2022-22826: nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

CVE-2022-22825 [HIGH] CWE-190 CVE-2022-22825: lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

CVE-2022-22827 [HIGH] CWE-190 CVE-2022-22827: storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

CVE-2021-46143 [HIGH] CWE-190 CVE-2021-46143: In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_gro In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.

CVE-2021-45960 [HIGH] CWE-682 CVE-2021-45960: In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).

CVE-2019-15903 [HIGH] CWE-125 CVE-2019-15903: In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.

CVE-2018-20843 [HIGH] CWE-611 CVE-2018-20843: In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colo In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).

CVE-2017-11742 [HIGH] CWE-426 CVE-2017-11742: The writeRandomBytes_RtlGenRandom function in xmlparse.c in libexpat in Expat 2.2.1 and 2.2.2 on Win The writeRandomBytes_RtlGenRandom function in xmlparse.c in libexpat in Expat 2.2.1 and 2.2.2 on Windows allows local users to gain privileges via a Trojan horse ADVAPI32.DLL in the current working directory because of an untrusted search path, aka DLL hijacking.

CVE-2017-9233 [HIGH] CWE-611 CVE-2017-9233: XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows at XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.

CVE-2016-4472 [HIGH] CVE-2016-4472: The overflow protection in Expat is removed by compilers with certain optimization settings, which a The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716.

CVE-2016-5300 [HIGH] CVE-2016-5300: The XML parser in Expat does not use sufficient entropy for hash initialization, which allows contex The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876.

CVE-2012-6702 [MEDIUM] CWE-310 CVE-2012-6702: Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function.

CVE-2016-0718 [CRITICAL] CWE-119 CVE-2016-0718: Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute ar Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.