CVE - CVE-2013-0339

CVE-ID
CVE-2013-0339	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
libxml2 through 2.9.1 does not properly handle external entities expansion unless an application developer uses the xmlSAX2ResolveEntity or xmlSetExternalEntityLoader function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because libxml2 already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed and each affected application would need its own CVE.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MLIST:[oss-security] 20130221 CVE Guidance for Libraries and Resource-Consumption DoS URL:http://openwall.com/lists/oss-security/2013/02/21/24 MLIST:[oss-security] 20130221 CVEs for libxml2 and expat internal and external XML entity expansion URL:http://openwall.com/lists/oss-security/2013/02/22/3 MLIST:[oss-security] 20130412 Re-evaluating expat/libxml2 CVE assignments URL:http://www.openwall.com/lists/oss-security/2013/04/12/6 MLIST:[oss-security] 20131028 Re: CVE Request: libxml2 external parsed entities issue URL:http://seclists.org/oss-sec/2013/q4/182 MLIST:[oss-security] 20131029 Re: CVE Request: libxml2 external parsed entities issue URL:http://seclists.org/oss-sec/2013/q4/184 MLIST:[oss-security] 20131029 Re: CVE Request: libxml2 external parsed entities issue URL:http://seclists.org/oss-sec/2013/q4/188 MISC:https://bugzilla.redhat.com/show_bug.cgi?id=915149 MISC:https://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f DEBIAN:DSA-2652 URL:http://www.debian.org/security/2013/dsa-2652 SUSE:SUSE-SU-2013:1627 URL:http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00002.html UBUNTU:USN-1904-1 URL:http://www.ubuntu.com/usn/USN-1904-1 UBUNTU:USN-1904-2 URL:http://www.ubuntu.com/usn/USN-1904-2 SECUNIA:52662 URL:http://secunia.com/advisories/52662 SECUNIA:54172 URL:http://secunia.com/advisories/54172 SECUNIA:55568 URL:http://secunia.com/advisories/55568
Assigning CNA
N/A
Date Entry Created
20121206	Disclaimer: The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20121206)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an entry on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: cve@mitre.org