CVE-2014-3660
Vulnerability Summary
Timeline
Description
parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the "billion laughs" attack.
CVSS Metrics
- v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:N/A:P
EPSS Trends
Current EPSS score: 3.89%• Percentile: 88%
Affected Systems
- apple•mac_os_x
≤ 10.10.4
- canonical•ubuntu_linux
10.04 | 12.04 | 14.04
- debian•debian_linux
7.0
- redhat•enterprise_linux
5.0
- xmlsoft•libxml2
≤ 2.9.1 | 2.0.0 | 2.1.0 | 2.1.1 | 2.2.0 | 2.2.0:beta | 2.2.1 | 2.2.2 | 2.2.3 | 2.2.4 | 2.2.5 | 2.2.6 | 2.2.7 | 2.2.8 | 2.2.9 | 2.2.10 | 2.2.11 | 2.3.0 | 2.3.1 | 2.3.2 | 2.3.3 | 2.3.4 | 2.3.5 | 2.3.6 | 2.3.7 | 2.3.8 | 2.3.9 | 2.3.10 | 2.3.11 | 2.3.12 | 2.3.13 | 2.3.14 | 2.4.1 | 2.4.2 | 2.4.3 | 2.4.4 | 2.4.5 | 2.4.6 | 2.4.7 | 2.4.8 | 2.4.9 | 2.4.10 | 2.4.11 | 2.4.12 | 2.4.13 | 2.4.14 | 2.4.15 | 2.4.16 | 2.4.17 | 2.4.18 | 2.4.19 | 2.4.20 | 2.4.21 | 2.4.22 | 2.4.23 | 2.4.24 | 2.4.25 | 2.4.26 | 2.4.27 | 2.4.28 | 2.4.29 | 2.4.30 | 2.5.0 | 2.5.4 | 2.5.7 | 2.5.8 | 2.5.10 | 2.5.11 | 2.6.0 | 2.6.1 | 2.6.2 | 2.6.3 | 2.6.4 | 2.6.5 | 2.6.6 | 2.6.7 | 2.6.8 | 2.6.9 | 2.6.11 | 2.6.12 | 2.6.13 | 2.6.14 | 2.6.16 | 2.6.17 | 2.6.18 | 2.6.20 | 2.6.21 | 2.6.22 | 2.6.23 | 2.6.24 | 2.6.25 | 2.6.26 | 2.6.27 | 2.6.28 | 2.6.29 | 2.6.30 | 2.6.31 | 2.6.32 | 2.7.0 | 2.7.1 | 2.7.2 | 2.7.3 | 2.7.4 | 2.7.5 | 2.7.6 | 2.7.7 | 2.7.8 | 2.8.0 | 2.9.0 | 2.9.0:rc1
References (23)
- http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
- http://secunia.com/advisories/59903
- https://www.ncsc.nl/actueel/nieuwsberichten/kwetsbaarheid-ontdekt-in-libxml2.html
- http://www.debian.org/security/2014/dsa-3057
- https://support.apple.com/kb/HT205030
- http://www.securityfocus.com/bid/70644
- http://lists.opensuse.org/opensuse-updates/2014-10/msg00034.html
- https://bugzilla.redhat.com/attachment.cgi?id=944444&action=diff
- http://secunia.com/advisories/61966
- http://secunia.com/advisories/61965
- http://www.ubuntu.com/usn/USN-2389-1
- http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
- http://lists.apple.com/archives/security-announce/2015/Aug/msg00002.html
- http://www.openwall.com/lists/oss-security/2014/10/17/7
- http://www.mandriva.com/security/advisories?name=MDVSA-2014:244
- http://rhn.redhat.com/errata/RHSA-2014-1655.html
- http://rhn.redhat.com/errata/RHSA-2014-1885.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1149084
- http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
- http://secunia.com/advisories/61991
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
- http://lists.opensuse.org/opensuse-updates/2015-12/msg00120.html
- https://support.apple.com/kb/HT205031