CVE-2017-9233

XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:N/A:P

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
http://www.debian.org/security/2017/dsa-3898	Third Party Advisory
http://www.openwall.com/lists/oss-security/2017/06/17/7	Mailing List VDB Entry
http://www.securityfocus.com/bid/99276	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1039427	Third Party Advisory VDB Entry
https://github.com/libexpat/libexpat/blob/master/expat/Changes	Release Notes Third Party Advisory
https://libexpat.github.io/doc/cve-2017-9233/	Exploit Technical Description Vendor Advisory
https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
https://support.apple.com/HT208112	Third Party Advisory
https://support.apple.com/HT208113	Third Party Advisory
https://support.apple.com/HT208115	Third Party Advisory
https://support.apple.com/HT208144	Third Party Advisory
https://support.f5.com/csp/article/K03244804	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:a:python:python::::::::
	cpe:2.3:a:python:python::::::::
	cpe:2.3:a:python:python::::::::
	cpe:2.3:a:python:python::::::::
	cpe:2.3:a:python:python::::::::

Configuration 3 (hide)

OR	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*

History

28 Jul 2022, 11:30

Type	Values Removed	Values Added
References		(MLIST) https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E - Mailing List, Third Party Advisory
References	~~(CONFIRM) https://support.apple.com/HT208144 -~~	(CONFIRM) https://support.apple.com/HT208144 - Third Party Advisory
References	~~(CONFIRM) https://support.apple.com/HT208115 -~~	(CONFIRM) https://support.apple.com/HT208115 - Third Party Advisory
References	~~(CONFIRM) https://support.apple.com/HT208112 -~~	(CONFIRM) https://support.apple.com/HT208112 - Third Party Advisory
References	~~(CONFIRM) https://support.apple.com/HT208113 -~~	(CONFIRM) https://support.apple.com/HT208113 - Third Party Advisory
References	~~(DEBIAN) http://www.debian.org/security/2017/dsa-3898 -~~	(DEBIAN) http://www.debian.org/security/2017/dsa-3898 - Third Party Advisory
References	~~(SECTRACK) http://www.securitytracker.com/id/1039427 -~~	(SECTRACK) http://www.securitytracker.com/id/1039427 - Third Party Advisory, VDB Entry
References	~~(MLIST) https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E -~~	(MLIST) https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E - Mailing List, Third Party Advisory
References	~~(CONFIRM) https://support.f5.com/csp/article/K03244804 -~~	(CONFIRM) https://support.f5.com/csp/article/K03244804 - Third Party Advisory
CPE		cpe:2.3:o:debian:debian_linux:8.0:::::::* cpe:2.3:a:python:python:::::::: cpe:2.3:o:debian:debian_linux:9.0:::::::* cpe:2.3:o:debian:debian_linux:10.0:::::::*

29 Jun 2021, 15:15

Type	Values Removed	Values Added
References		(MLIST) https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E -

Information

Published : 2017-07-25 20:29

Updated : 2024-02-04 19:29

NVD link : CVE-2017-9233

Mitre link : CVE-2017-9233

CVE.ORG link : CVE-2017-9233

JSON object : View

Products Affected

libexpat_project

libexpat

python

python

debian

debian_linux

CWE

CWE-611

Improper Restriction of XML External Entity Reference

CWE-835

Loop with Unreachable Exit Condition ('Infinite Loop')

7.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

JSON object

Attach tags to CVE-2017-9233

7.5^/10

5.0^/10

Attach tags to `CVE-2017-9233`