CVE-2008-3281

moderate-risk
Published 2008-08-27

libxml2 2.6.32 and earlier does not properly detect recursion during entity expansion in an attribute value, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document.

Do I need to act?

-
0.80% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.5/10 Medium
NETWORK / LOW complexity

Affected Products (20)

Esx

Affected Vendors

Apple Canonical Debian Fedoraproject Redhat Xmlsoft Vmware

References (84)

Mailing List http://lists.apple.com/archives/security-announce/2009/Jun/msg00005.html
Broken Link http://lists.apple.com/archives/security-announce/2009/jun/msg00002.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html
Broken Link http://lists.vmware.com/pipermail/security-announce/2008/000039.html
Mailing List http://mail.gnome.org/archives/xml/2008-August/msg00034.html
Broken Link http://secunia.com/advisories/31558
Broken Link http://secunia.com/advisories/31566
Broken Link http://secunia.com/advisories/31590
Broken Link http://secunia.com/advisories/31728
Broken Link http://secunia.com/advisories/31748
Broken Link http://secunia.com/advisories/31855
Broken Link http://secunia.com/advisories/31982
Broken Link http://secunia.com/advisories/32488
Broken Link http://secunia.com/advisories/32807
Broken Link http://secunia.com/advisories/32974
Broken Link http://secunia.com/advisories/35379
Third Party Advisory http://security.gentoo.org/glsa/glsa-200812-06.xml
Third Party Advisory http://support.apple.com/kb/HT3613
Third Party Advisory http://support.apple.com/kb/HT3639
Broken Link http://svn.gnome.org/viewvc/libxml2?view=revision&revision=3772
and 64 more references
48
/ 100
moderate-risk
Severity 24/34 · High
Exploitability 3/34 · Minimal
Exposure 21/34 · High