StringEqual Vulnerability in TinyXML Affects XML Parsing
CVE-2023-34194

7.5HIGH

Key Information:

Vendor: Tinyxml Project
Status: Tinyxml
Vendor: CVE Published:; 13 December 2023

🔔 Create Tinyxml Project Vulnerability Alert

What is CVE-2023-34194?

The vulnerability in TinyXML arises from an input validation error within the StringEqual function in the TiXmlDeclaration::Parse method found in tinyxmlparser.cpp. This flaw allows for a crafted XML document containing a NULL byte ('\0') positioned after whitespace to trigger a reachable assertion, potentially leading to an application exit. Malicious actors could exploit this vulnerability to disrupt the integrity and availability of applications using affected TinyXML versions, specifically 2.6.2 and earlier.

References

https://sourceforge.net/p/tinyxml/git/ci/master/tree/tiny...

https://www.forescout.com/resources/sierra21-vulnerabilities

https://lists.debian.org/debian-lts-announce/2023/12/msg0...

mailing-list

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 13, 2023
Vulnerability Reserved
May 30, 2023