5

CVE-2014-3660

parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the "billion laughs" attack.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
XmlsoftLibxml2 Version <= 2.9.1
XmlsoftLibxml2 Version2.0.0
XmlsoftLibxml2 Version2.1.0
XmlsoftLibxml2 Version2.1.1
XmlsoftLibxml2 Version2.2.0
XmlsoftLibxml2 Version2.2.0 Updatebeta
XmlsoftLibxml2 Version2.2.1
XmlsoftLibxml2 Version2.2.2
XmlsoftLibxml2 Version2.2.3
XmlsoftLibxml2 Version2.2.4
XmlsoftLibxml2 Version2.2.5
XmlsoftLibxml2 Version2.2.6
XmlsoftLibxml2 Version2.2.7
XmlsoftLibxml2 Version2.2.8
XmlsoftLibxml2 Version2.2.9
XmlsoftLibxml2 Version2.2.10
XmlsoftLibxml2 Version2.2.11
XmlsoftLibxml2 Version2.3.0
XmlsoftLibxml2 Version2.3.1
XmlsoftLibxml2 Version2.3.2
XmlsoftLibxml2 Version2.3.3
XmlsoftLibxml2 Version2.3.4
XmlsoftLibxml2 Version2.3.5
XmlsoftLibxml2 Version2.3.6
XmlsoftLibxml2 Version2.3.7
XmlsoftLibxml2 Version2.3.8
XmlsoftLibxml2 Version2.3.9
XmlsoftLibxml2 Version2.3.10
XmlsoftLibxml2 Version2.3.11
XmlsoftLibxml2 Version2.3.12
XmlsoftLibxml2 Version2.3.13
XmlsoftLibxml2 Version2.3.14
XmlsoftLibxml2 Version2.4.1
XmlsoftLibxml2 Version2.4.2
XmlsoftLibxml2 Version2.4.3
XmlsoftLibxml2 Version2.4.4
XmlsoftLibxml2 Version2.4.5
XmlsoftLibxml2 Version2.4.6
XmlsoftLibxml2 Version2.4.7
XmlsoftLibxml2 Version2.4.8
XmlsoftLibxml2 Version2.4.9
XmlsoftLibxml2 Version2.4.10
XmlsoftLibxml2 Version2.4.11
XmlsoftLibxml2 Version2.4.12
XmlsoftLibxml2 Version2.4.13
XmlsoftLibxml2 Version2.4.14
XmlsoftLibxml2 Version2.4.15
XmlsoftLibxml2 Version2.4.16
XmlsoftLibxml2 Version2.4.17
XmlsoftLibxml2 Version2.4.18
XmlsoftLibxml2 Version2.4.19
XmlsoftLibxml2 Version2.4.20
XmlsoftLibxml2 Version2.4.21
XmlsoftLibxml2 Version2.4.22
XmlsoftLibxml2 Version2.4.23
XmlsoftLibxml2 Version2.4.24
XmlsoftLibxml2 Version2.4.25
XmlsoftLibxml2 Version2.4.26
XmlsoftLibxml2 Version2.4.27
XmlsoftLibxml2 Version2.4.28
XmlsoftLibxml2 Version2.4.29
XmlsoftLibxml2 Version2.4.30
XmlsoftLibxml2 Version2.5.0
XmlsoftLibxml2 Version2.5.4
XmlsoftLibxml2 Version2.5.7
XmlsoftLibxml2 Version2.5.8
XmlsoftLibxml2 Version2.5.10
XmlsoftLibxml2 Version2.5.11
XmlsoftLibxml2 Version2.6.0
XmlsoftLibxml2 Version2.6.1
XmlsoftLibxml2 Version2.6.2
XmlsoftLibxml2 Version2.6.3
XmlsoftLibxml2 Version2.6.4
XmlsoftLibxml2 Version2.6.5
XmlsoftLibxml2 Version2.6.6
XmlsoftLibxml2 Version2.6.7
XmlsoftLibxml2 Version2.6.8
XmlsoftLibxml2 Version2.6.9
XmlsoftLibxml2 Version2.6.11
XmlsoftLibxml2 Version2.6.12
XmlsoftLibxml2 Version2.6.13
XmlsoftLibxml2 Version2.6.14
XmlsoftLibxml2 Version2.6.16
XmlsoftLibxml2 Version2.6.17
XmlsoftLibxml2 Version2.6.18
XmlsoftLibxml2 Version2.6.20
XmlsoftLibxml2 Version2.6.21
XmlsoftLibxml2 Version2.6.22
XmlsoftLibxml2 Version2.6.23
XmlsoftLibxml2 Version2.6.24
XmlsoftLibxml2 Version2.6.25
XmlsoftLibxml2 Version2.6.26
XmlsoftLibxml2 Version2.6.27
XmlsoftLibxml2 Version2.6.28
XmlsoftLibxml2 Version2.6.29
XmlsoftLibxml2 Version2.6.30
XmlsoftLibxml2 Version2.6.31
XmlsoftLibxml2 Version2.6.32
XmlsoftLibxml2 Version2.7.0
XmlsoftLibxml2 Version2.7.1
XmlsoftLibxml2 Version2.7.2
XmlsoftLibxml2 Version2.7.3
XmlsoftLibxml2 Version2.7.4
XmlsoftLibxml2 Version2.7.5
XmlsoftLibxml2 Version2.7.6
XmlsoftLibxml2 Version2.7.7
XmlsoftLibxml2 Version2.7.8
XmlsoftLibxml2 Version2.8.0
XmlsoftLibxml2 Version2.9.0
XmlsoftLibxml2 Version2.9.0 Updaterc1
ApplemacOS X Version <= 10.10.4
CanonicalUbuntu Linux Version10.04 SwEditionlts
CanonicalUbuntu Linux Version12.04 SwEditionlts
CanonicalUbuntu Linux Version14.04 SwEditionlts
DebianDebian Linux Version7.0
RedhatEnterprise Linux Version5.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 3.99% 0.892
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:N/I:N/A:P
Es wurden noch keine Informationen zu CWE veröffentlicht.
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
https://support.apple.com/kb/HT205031
Vendor Advisory
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
http://www.mandriva.com/security/advisories?name=MDVSA-2014:244
http://lists.apple.com/archives/security-announce/2015/Aug/msg00002.html
http://lists.opensuse.org/opensuse-updates/2014-10/msg00034.html
http://lists.opensuse.org/opensuse-updates/2015-12/msg00120.html
http://rhn.redhat.com/errata/RHSA-2014-1655.html
http://rhn.redhat.com/errata/RHSA-2014-1885.html
http://secunia.com/advisories/59903
http://secunia.com/advisories/61965
http://secunia.com/advisories/61966
http://secunia.com/advisories/61991
http://www.debian.org/security/2014/dsa-3057
http://www.openwall.com/lists/oss-security/2014/10/17/7
Patch
http://www.securityfocus.com/bid/70644
http://www.ubuntu.com/usn/USN-2389-1
Vendor Advisory
https://bugzilla.redhat.com/attachment.cgi?id=944444&action=diff
https://bugzilla.redhat.com/show_bug.cgi?id=1149084
https://support.apple.com/kb/HT205030
Vendor Advisory
https://www.ncsc.nl/actueel/nieuwsberichten/kwetsbaarheid-ontdekt-in-libxml2.html