CVE-2013-0340

expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.
References
Link Resource
http://openwall.com/lists/oss-security/2013/02/22/3 Exploit Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2021/Oct/61 Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2021/Oct/62 Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2021/Oct/63 Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2021/Sep/33 Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2021/Sep/34 Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2021/Sep/35 Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2021/Sep/38 Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2021/Sep/39 Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2021/Sep/40 Mailing List Third Party Advisory
http://securitytracker.com/id?1028213 Third Party Advisory VDB Entry
http://www.openwall.com/lists/oss-security/2013/04/12/6 Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/10/07/4 Mailing List Third Party Advisory
http://www.osvdb.org/90634 Broken Link
http://www.securityfocus.com/bid/58233 Broken Link Third Party Advisory VDB Entry
https://lists.apache.org/thread.html/r41eca5f4f09e74436cbb05dec450fc2bef37b5d3e966aa7cc5fada6d%40%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/rfb2c193360436e230b85547e85a41bea0916916f96c501f5b6fc4702%40%3Cusers.openoffice.apache.org%3E
https://security.gentoo.org/glsa/201701-21 Third Party Advisory
https://support.apple.com/kb/HT212804 Third Party Advisory
https://support.apple.com/kb/HT212805 Third Party Advisory
https://support.apple.com/kb/HT212807 Third Party Advisory
https://support.apple.com/kb/HT212814 Third Party Advisory
https://support.apple.com/kb/HT212815 Third Party Advisory
https://support.apple.com/kb/HT212819 Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*

History

05 Jul 2022, 18:57

Type Values Removed Values Added
References (FULLDISC) http://seclists.org/fulldisclosure/2021/Sep/40 - (FULLDISC) http://seclists.org/fulldisclosure/2021/Sep/40 - Mailing List, Third Party Advisory
References (MLIST) https://lists.apache.org/thread.html/rfb2c193360436e230b85547e85a41bea0916916f96c501f5b6fc4702@%3Cusers.openoffice.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/rfb2c193360436e230b85547e85a41bea0916916f96c501f5b6fc4702@%3Cusers.openoffice.apache.org%3E - Mailing List, Third Party Advisory
References (FULLDISC) http://seclists.org/fulldisclosure/2021/Oct/61 - (FULLDISC) http://seclists.org/fulldisclosure/2021/Oct/61 - Mailing List, Third Party Advisory
References (FULLDISC) http://seclists.org/fulldisclosure/2021/Sep/39 - (FULLDISC) http://seclists.org/fulldisclosure/2021/Sep/39 - Mailing List, Third Party Advisory
References (CONFIRM) https://support.apple.com/kb/HT212805 - (CONFIRM) https://support.apple.com/kb/HT212805 - Third Party Advisory
References (CONFIRM) https://support.apple.com/kb/HT212819 - (CONFIRM) https://support.apple.com/kb/HT212819 - Third Party Advisory
References (FULLDISC) http://seclists.org/fulldisclosure/2021/Sep/33 - (FULLDISC) http://seclists.org/fulldisclosure/2021/Sep/33 - Mailing List, Third Party Advisory
References (CONFIRM) https://support.apple.com/kb/HT212807 - (CONFIRM) https://support.apple.com/kb/HT212807 - Third Party Advisory
References (FULLDISC) http://seclists.org/fulldisclosure/2021/Sep/38 - (FULLDISC) http://seclists.org/fulldisclosure/2021/Sep/38 - Mailing List, Third Party Advisory
References (MLIST) http://www.openwall.com/lists/oss-security/2021/10/07/4 - (MLIST) http://www.openwall.com/lists/oss-security/2021/10/07/4 - Mailing List, Third Party Advisory
References (FULLDISC) http://seclists.org/fulldisclosure/2021/Sep/35 - (FULLDISC) http://seclists.org/fulldisclosure/2021/Sep/35 - Mailing List, Third Party Advisory
References (FULLDISC) http://seclists.org/fulldisclosure/2021/Oct/62 - (FULLDISC) http://seclists.org/fulldisclosure/2021/Oct/62 - Mailing List, Third Party Advisory
References (MLIST) https://lists.apache.org/thread.html/r41eca5f4f09e74436cbb05dec450fc2bef37b5d3e966aa7cc5fada6d@%3Cannounce.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/r41eca5f4f09e74436cbb05dec450fc2bef37b5d3e966aa7cc5fada6d@%3Cannounce.apache.org%3E - Mailing List, Third Party Advisory
References (CONFIRM) https://support.apple.com/kb/HT212814 - (CONFIRM) https://support.apple.com/kb/HT212814 - Third Party Advisory
References (FULLDISC) http://seclists.org/fulldisclosure/2021/Oct/63 - (FULLDISC) http://seclists.org/fulldisclosure/2021/Oct/63 - Mailing List, Third Party Advisory
References (FULLDISC) http://seclists.org/fulldisclosure/2021/Sep/34 - (FULLDISC) http://seclists.org/fulldisclosure/2021/Sep/34 - Mailing List, Third Party Advisory
References (CONFIRM) https://support.apple.com/kb/HT212804 - (CONFIRM) https://support.apple.com/kb/HT212804 - Third Party Advisory
References (CONFIRM) https://support.apple.com/kb/HT212815 - (CONFIRM) https://support.apple.com/kb/HT212815 - Third Party Advisory
CPE cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:ipad_os:*:*:*:*:*:*:*:*

27 Oct 2021, 20:15

Type Values Removed Values Added
References
  • (FULLDISC) http://seclists.org/fulldisclosure/2021/Oct/61 -
  • (FULLDISC) http://seclists.org/fulldisclosure/2021/Oct/63 -
  • (FULLDISC) http://seclists.org/fulldisclosure/2021/Oct/62 -

07 Oct 2021, 18:15

Type Values Removed Values Added
References
  • (MLIST) http://www.openwall.com/lists/oss-security/2021/10/07/4 -

07 Oct 2021, 17:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.apache.org/thread.html/rfb2c193360436e230b85547e85a41bea0916916f96c501f5b6fc4702@%3Cusers.openoffice.apache.org%3E -
  • (MLIST) https://lists.apache.org/thread.html/r41eca5f4f09e74436cbb05dec450fc2bef37b5d3e966aa7cc5fada6d@%3Cannounce.apache.org%3E -

22 Sep 2021, 00:15

Type Values Removed Values Added
References
  • (FULLDISC) http://seclists.org/fulldisclosure/2021/Sep/35 -
  • (FULLDISC) http://seclists.org/fulldisclosure/2021/Sep/40 -
  • (FULLDISC) http://seclists.org/fulldisclosure/2021/Sep/33 -
  • (FULLDISC) http://seclists.org/fulldisclosure/2021/Sep/38 -
  • (FULLDISC) http://seclists.org/fulldisclosure/2021/Sep/39 -
  • (FULLDISC) http://seclists.org/fulldisclosure/2021/Sep/34 -

21 Sep 2021, 04:15

Type Values Removed Values Added
References
  • (CONFIRM) https://support.apple.com/kb/HT212805 -
  • (CONFIRM) https://support.apple.com/kb/HT212807 -
  • (CONFIRM) https://support.apple.com/kb/HT212804 -

20 Sep 2021, 19:15

Type Values Removed Values Added
References
  • (CONFIRM) https://support.apple.com/kb/HT212814 -
  • (CONFIRM) https://support.apple.com/kb/HT212819 -
  • (CONFIRM) https://support.apple.com/kb/HT212815 -

25 May 2021, 16:42

Type Values Removed Values Added
References (SECTRACK) http://securitytracker.com/id?1028213 - (SECTRACK) http://securitytracker.com/id?1028213 - Third Party Advisory, VDB Entry
References (OSVDB) http://www.osvdb.org/90634 - (OSVDB) http://www.osvdb.org/90634 - Broken Link
References (MLIST) http://www.openwall.com/lists/oss-security/2013/04/12/6 - (MLIST) http://www.openwall.com/lists/oss-security/2013/04/12/6 - Mailing List, Third Party Advisory
References (BID) http://www.securityfocus.com/bid/58233 - (BID) http://www.securityfocus.com/bid/58233 - Broken Link, Third Party Advisory, VDB Entry
References (GENTOO) https://security.gentoo.org/glsa/201701-21 - (GENTOO) https://security.gentoo.org/glsa/201701-21 - Third Party Advisory
References (MLIST) http://openwall.com/lists/oss-security/2013/02/22/3 - (MLIST) http://openwall.com/lists/oss-security/2013/02/22/3 - Exploit, Mailing List, Third Party Advisory
CPE cpe:2.3:a:libexpat_project:libexpat:1.95.2:*:*:*:*:*:*:*
cpe:2.3:a:libexpat_project:libexpat:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:libexpat_project:libexpat:1.95.5:*:*:*:*:*:*:*
cpe:2.3:a:libexpat_project:libexpat:1.95.7:*:*:*:*:*:*:*
cpe:2.3:a:libexpat_project:libexpat:1.95.1:*:*:*:*:*:*:*
cpe:2.3:a:libexpat_project:libexpat:2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:libexpat_project:libexpat:1.95.4:*:*:*:*:*:*:*
cpe:2.3:a:libexpat_project:libexpat:1.95.8:*:*:*:*:*:*:*
cpe:2.3:a:libexpat_project:libexpat:1.95.6:*:*:*:*:*:*:*
CWE CWE-264 CWE-611

Information

Published : 2014-01-21 18:55

Updated : 2024-02-04 18:35


NVD link : CVE-2013-0340

Mitre link : CVE-2013-0340

CVE.ORG link : CVE-2013-0340


JSON object : View

Products Affected

apple

  • macos
  • ipados
  • watchos
  • iphone_os
  • tvos

libexpat_project

  • libexpat

python

  • python
CWE
CWE-611

Improper Restriction of XML External Entity Reference