XML External Entity Exposure in Expat Library by Expat Software
CVE-2013-0340

Currently unrated

Key Information:

Vendor: Libexpat Project
Status: Libexpat
Vendor: CVE Published:; 21 January 2014

Summary

The Expat XML parser library prior to version 2.1.0 is susceptible to an XML External Entity (XXE) vulnerability that can be exploited through specially crafted XML documents. Attackers leveraging this vulnerability can induce denial of service conditions through resource exhaustion, initiate unauthorized HTTP requests to internal servers, or gain access to sensitive files on the system. Application developers must invoke the XML_SetEntityDeclHandler function to mitigate this risk, as standard controls within Expat can disable external entity expansions.

References

http://openwall.com/lists/oss-security/2013/02/22/3

mailing-listx_refsource_MLIST

http://www.openwall.com/lists/oss-security/2013/04/12/6

mailing-listx_refsource_MLIST

http://www.osvdb.org/90634

vdb-entryx_refsource_OSVDB

Timeline

Vulnerability published
Jan 21, 2014
Vulnerability Reserved
Dec 6, 2012