CVE-2024-40896
9.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Summary
In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| libxml2 | libxml2 | 2.11.0 < 2.11.9 | affected |
| libxml2 | libxml2 | 2.12.0 < 2.12.9 | affected |
| libxml2 | libxml2 | 2.13.0 < 2.13.3 | affected |
Weaknesses
- CWE-611: CWE-611 Improper Restriction of XML External Entity Reference
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
CVE Program Container
Additional References
References
- https://gitlab.gnome.org/GNOME/libxml2/-/issues/761
- https://gitlab.gnome.org/GNOME/libxml2/-/commit/1a8932303969907f6572b1b6aac4081c56adb5c6
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.