expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
05 Jul 2022, 18:57
Type | Values Removed | Values Added |
---|---|---|
References | (FULLDISC) http://seclists.org/fulldisclosure/2021/Sep/40 - Mailing List, Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/rfb2c193360436e230b85547e85a41bea0916916f96c501f5b6fc4702@%3Cusers.openoffice.apache.org%3E - Mailing List, Third Party Advisory | |
References | (FULLDISC) http://seclists.org/fulldisclosure/2021/Oct/61 - Mailing List, Third Party Advisory | |
References | (FULLDISC) http://seclists.org/fulldisclosure/2021/Sep/39 - Mailing List, Third Party Advisory | |
References | (CONFIRM) https://support.apple.com/kb/HT212805 - Third Party Advisory | |
References | (CONFIRM) https://support.apple.com/kb/HT212819 - Third Party Advisory | |
References | (FULLDISC) http://seclists.org/fulldisclosure/2021/Sep/33 - Mailing List, Third Party Advisory | |
References | (CONFIRM) https://support.apple.com/kb/HT212807 - Third Party Advisory | |
References | (FULLDISC) http://seclists.org/fulldisclosure/2021/Sep/38 - Mailing List, Third Party Advisory | |
References | (MLIST) http://www.openwall.com/lists/oss-security/2021/10/07/4 - Mailing List, Third Party Advisory | |
References | (FULLDISC) http://seclists.org/fulldisclosure/2021/Sep/35 - Mailing List, Third Party Advisory | |
References | (FULLDISC) http://seclists.org/fulldisclosure/2021/Oct/62 - Mailing List, Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r41eca5f4f09e74436cbb05dec450fc2bef37b5d3e966aa7cc5fada6d@%3Cannounce.apache.org%3E - Mailing List, Third Party Advisory | |
References | (CONFIRM) https://support.apple.com/kb/HT212814 - Third Party Advisory | |
References | (FULLDISC) http://seclists.org/fulldisclosure/2021/Oct/63 - Mailing List, Third Party Advisory | |
References | (FULLDISC) http://seclists.org/fulldisclosure/2021/Sep/34 - Mailing List, Third Party Advisory | |
References | (CONFIRM) https://support.apple.com/kb/HT212804 - Third Party Advisory | |
References | (CONFIRM) https://support.apple.com/kb/HT212815 - Third Party Advisory | |
CPE | cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:* cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:* cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:* cpe:2.3:a:python:python:*:*:*:*:*:*:*:* cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:* cpe:2.3:o:apple:ipad_os:*:*:*:*:*:*:*:* |
27 Oct 2021, 20:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
07 Oct 2021, 18:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
07 Oct 2021, 17:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
22 Sep 2021, 00:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
21 Sep 2021, 04:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
20 Sep 2021, 19:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
25 May 2021, 16:42
Type | Values Removed | Values Added |
---|---|---|
References | (SECTRACK) http://securitytracker.com/id?1028213 - Third Party Advisory, VDB Entry | |
References | (OSVDB) http://www.osvdb.org/90634 - Broken Link | |
References | (MLIST) http://www.openwall.com/lists/oss-security/2013/04/12/6 - Mailing List, Third Party Advisory | |
References | (BID) http://www.securityfocus.com/bid/58233 - Broken Link, Third Party Advisory, VDB Entry | |
References | (GENTOO) https://security.gentoo.org/glsa/201701-21 - Third Party Advisory | |
References | (MLIST) http://openwall.com/lists/oss-security/2013/02/22/3 - Exploit, Mailing List, Third Party Advisory | |
CPE | cpe:2.3:a:libexpat_project:libexpat:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:libexpat_project:libexpat:1.95.5:*:*:*:*:*:*:* cpe:2.3:a:libexpat_project:libexpat:1.95.7:*:*:*:*:*:*:* cpe:2.3:a:libexpat_project:libexpat:1.95.1:*:*:*:*:*:*:* cpe:2.3:a:libexpat_project:libexpat:2.0.1:*:*:*:*:*:*:* cpe:2.3:a:libexpat_project:libexpat:1.95.4:*:*:*:*:*:*:* cpe:2.3:a:libexpat_project:libexpat:1.95.8:*:*:*:*:*:*:* cpe:2.3:a:libexpat_project:libexpat:1.95.6:*:*:*:*:*:*:* |
|
CWE | CWE-611 |
Information
Published : 2014-01-21 18:55
Updated : 2024-02-04 18:35
NVD link : CVE-2013-0340
Mitre link : CVE-2013-0340
CVE.ORG link : CVE-2013-0340
JSON object : View
Products Affected
apple
- macos
- ipados
- watchos
- iphone_os
- tvos
libexpat_project
- libexpat
python
- python
CWE
CWE-611
Improper Restriction of XML External Entity Reference