Detections
Analytics
GLSA-202210-03 : libxml2: Multiple Vulnerabilities
high Nessus Plugin ID 166160
Language:
Description
The remote host is affected by the vulnerability described in GLSA-202210-03 (libxml2: Multiple Vulnerabilities)- valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes. (CVE-2022-23308)
- In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well. (CVE-2022-29824)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
All libxml2 users should upgrade to the latest version:# emerge --sync # emerge --ask --oneshot --verbose >=dev-libs/libxml2-2.10.2
See Also
https://security.gentoo.org/glsa/202210-03
https://bugs.gentoo.org/show_bug.cgi?id=833809
Plugin Details
Severity: High
ID: 166160
File Name: gentoo_GLSA-202210-03.nasl
Version: 1.3
Type: local
Family: Gentoo Local Security Checks
Published: 10/16/2022
Updated: 10/9/2023
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 4.4
CVSS v2
Risk Factor: Medium
Base Score: 4.3
Temporal Score: 3.6
Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSS Score Source: CVE-2022-29824
CVSS v3
Risk Factor: High
Base Score: 7.5
Temporal Score: 7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C
CVSS Score Source: CVE-2022-23308
Vulnerability Information
CPE: p-cpe:/a:gentoo:linux:libxml2, cpe:/o:gentoo:linux
Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 10/16/2022
Vulnerability Publication Date: 2/26/2022
Reference Information
CVE: CVE-2022-23308, CVE-2022-29824