CVE-2020-24977

moderate-risk

Published 2020-09-04

GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in commit 50f06b3e.

Do I need to act?

0.50% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.5/10 Medium

NETWORK / LOW complexity

Affected Products (20)

Libxml2

Debian Linux

Fedora

Leap

Active Iq Unified Manager

Clustered Data Ontap

Clustered Data Ontap Antivirus Connector

Inventory Collect Tool

Manageability Software Development Kit

Snapdrive

Hci H410C Firmware

Communications Cloud Native Core Network Function Cloud Native Environment

Enterprise Manager Base Platform

Enterprise Manager Ops Center

Affected Vendors

Debian Oracle Xmlsoft Fedoraproject Netapp Opensuse

References (44)

Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00036.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00061.html

Patch https://gitlab.gnome.org/GNOME/libxml2/-/commit/50f06b3efb638efb0abd95dc62dca05a...

Exploit https://gitlab.gnome.org/GNOME/libxml2/-/issues/178

https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430...

Third Party Advisory https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Third Party Advisory https://security.gentoo.org/glsa/202107-05

Third Party Advisory https://security.netapp.com/advisory/ntap-20200924-0001/

Patch https://www.oracle.com/security-alerts/cpuapr2022.html

and 24 more references

/ 100

moderate-risk

Severity 24/34 · High

Exploitability 2/34 · Minimal

Exposure 21/34 · High