libxml2 through 2.9.1 does not properly handle external entities expansion unless an application developer uses the xmlSAX2ResolveEntity or xmlSetExternalEntityLoader function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because libxml2 already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed and each affected application would need its own CVE.
Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.
| Link | Tags |
|---|---|
| http://secunia.com/advisories/52662 | third party advisory vendor advisory |
| http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00002.html | vendor advisory |
| http://openwall.com/lists/oss-security/2013/02/21/24 | mailing list |
| http://openwall.com/lists/oss-security/2013/02/22/3 | mailing list |
| http://seclists.org/oss-sec/2013/q4/188 | mailing list |
| http://seclists.org/oss-sec/2013/q4/184 | mailing list |
| http://seclists.org/oss-sec/2013/q4/182 | mailing list |
| http://www.ubuntu.com/usn/USN-1904-2 | vendor advisory |
| http://www.ubuntu.com/usn/USN-1904-1 | vendor advisory |
| http://www.debian.org/security/2013/dsa-2652 | vendor advisory |
| https://bugzilla.redhat.com/show_bug.cgi?id=915149 | |
| http://secunia.com/advisories/54172 | third party advisory |
| http://secunia.com/advisories/55568 | third party advisory vendor advisory |
| https://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f | patch exploit |
| http://www.openwall.com/lists/oss-security/2013/04/12/6 | mailing list |