CVE-2013-0340

Description

expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.

References

https://support.apple.com/kb/HT212819

https://support.apple.com/kb/HT212815

https://support.apple.com/kb/HT212814

https://support.apple.com/kb/HT212807

https://support.apple.com/kb/HT212805

https://support.apple.com/kb/HT212804

https://security.gentoo.org/glsa/201701-21

https://lists.apache.org/thread.html/rfb2c193360436e230b85547e85a41bea0916916f96c501f5b6fc4702%40%3Cusers.openoffice.apache.org%3E

https://lists.apache.org/thread.html/r41eca5f4f09e74436cbb05dec450fc2bef37b5d3e966aa7cc5fada6d%40%3Cannounce.apache.org%3E

http://www.openwall.com/lists/oss-security/2021/10/07/4

http://www.openwall.com/lists/oss-security/2013/04/12/6

http://securitytracker.com/id?1028213

http://seclists.org/fulldisclosure/2021/Sep/40

http://seclists.org/fulldisclosure/2021/Sep/39

http://seclists.org/fulldisclosure/2021/Sep/38

http://seclists.org/fulldisclosure/2021/Sep/35

http://seclists.org/fulldisclosure/2021/Sep/34

http://seclists.org/fulldisclosure/2021/Sep/33

http://seclists.org/fulldisclosure/2021/Oct/63

http://seclists.org/fulldisclosure/2021/Oct/62

http://seclists.org/fulldisclosure/2021/Oct/61

Details

Source: Mitre, NVD

Risk Information

CVSS v2

CVSS v3