73171 : LuaExpat Entity Expansion Recursion XML Nested Entity Handling DoS
Printer | http://osvdb.org/73171 | Email This | Edit Vulnerability

Views This Week	Views All Time	Added to OSVDB	Last Modified	Modified (since 2008)	Percent Complete
4	618	over 4 years ago	almost 2 years ago	4 times	70%

Timeline

Disclosure Date
2011-05-03

Time to Patch
38 days

Description

LuaExpat fails to properly detect recursion during entity expansion, allowing a context-dependent attacker to use a crafted XML document to cause a denial of service.

Classification

Location: Local / Remote, Context Dependent
Attack Type: Denial of Service
Impact: Loss of Availability
Solution: Upgrade
Exploit: Exploit Public
Disclosure: Vendor Verified

Solution

Upgrade to version 1.2.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Unknown or Incomplete

References

Related OSVDB ID: 48157 73170 73172 73173 73174 73175
CVE ID: 2003-1564 (see also: NVD) 2011-1757 (see also: NVD) 2011-2188 (see also: NVD)
Secunia Advisory ID: 31868 44765 44787 44788 44795 44807 44866 44936 44957 44960
Other Advisory URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629225
http://http://www.stylusstudio.com/xmldev/200302/post20020.html
http://mail.gnome.org/archives/xml/2008-August/msg00034.html
http://wouter.coekaerts.be/2011/jabber-dos
http://www.mail-archive.com/[email protected]/msg01655.html
http://www.reddit.com/r/programming/comments/65843/time_to_upgrade_libxml2
http://xmlsoft.org/news.html
https://git.process-one.net/ejabberd/mainline/commit/bd1df027c622e1f96f9eeaac612a6a956c1ff0b6
Vendor Specific Advisory URL: http://groups.google.com/group/djabberd/browse_thread/thread/47974331c37e54c5
http://www.debian.org/security/2011/dsa-2248
http://www.debian.org/security/2011/dsa-2249
http://www.debian.org/security/2011/dsa-2250
Vendor Specific News/Changelog Entry: http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061458.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061482.html
RedHat RHSA: https://rhn.redhat.com/errata/RHSA-2011-0881.html
https://rhn.redhat.com/errata/RHSA-2011-0882.html
RHSA-2008:0886

Tools & Filters

	55036 55037 55038

Credit

Unknown or Incomplete

CVSSv2 Score

CVSSv2 Base Score = 4.3
Source: nvd.nist.gov | Generated: 2011-06-21 | Disagree? | There are 3 more: View All

Comments

Add Comment Hide Add Comment

No Comments.

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.