CVE-2023-29469

EPSS 0.06%
Veröffentlicht 24.04.2023 21:15:09
Zuletzt bearbeitet 04.02.2025 21:15:23
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\0' value).

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Xmlsoft ≫ Libxml2 Version < 2.10.4

Debian ≫ Debian Linux Version10.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.06%	0.175

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE-415 Double Free

The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.

https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.4

Release Notes

https://lists.debian.org/debian-lts-announce/2023/04/msg00031.html

Third Party Advisory

Mailing List

https://security.netapp.com/advisory/ntap-20230601-0006/

https://gitlab.gnome.org/GNOME/libxml2/-/issues/510

Vendor Advisory

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2023-29469

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-29469

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-29469

EUVD