XML Entity Expansion Vulnerability in libexpat through 2.6.1
CVE-2024-28757

7.5HIGH

Key Information:

Vendor: libexpat
Status: Libexpat
Vendor: CVE Published:; 10 March 2024

What is CVE-2024-28757?

The libexpat library, widely used for parsing XML, is susceptible to an XML Entity Expansion attack. This vulnerability occurs when external parsers, created via the XML_ExternalEntityParserCreate function, are used in isolation, allowing attackers to exploit the parser's ability to expand entities recursively. If successfully executed, this could lead to potential denial-of-service situations or resource exhaustion, impacting application stability and performance. It is crucial for users and developers utilizing libexpat in their projects to be aware of this vulnerability and ensure they have implemented appropriate security measures or updates.

References

https://github.com/libexpat/libexpat/pull/842

https://github.com/libexpat/libexpat/issues/839

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 10, 2024