CVE-2023-45322

libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is "I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail."

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
http://www.openwall.com/lists/oss-security/2023/10/06/5	Mailing List Patch Third Party Advisory
https://gitlab.gnome.org/GNOME/libxml2/-/issues/344	Issue Tracking Patch Vendor Advisory
https://gitlab.gnome.org/GNOME/libxml2/-/issues/583	Issue Tracking Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*

History

21 Mar 2024, 02:49

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-10-06 22:15

Updated : 2024-08-02 21:15

NVD link : CVE-2023-45322

Mitre link : CVE-2023-45322

CVE.ORG link : CVE-2023-45322

JSON object : View

Products Affected

xmlsoft

libxml2

CWE

CWE-416

Use After Free

{"id": "CVE-2023-45322", "cveTags": [{"tags": ["disputed"], "sourceIdentifier": "cve@mitre.org"}], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2023-10-06T22:15:11.660", "references": [{"url": "http://www.openwall.com/lists/oss-security/2023/10/06/5", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/344", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/583", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is \"I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail.\""}, {"lang": "es", "value": "** EN DISPUTA ** libxml2 hasta 2.11.5 tiene un use-after-free que solo puede ocurrir despu\u00e9s de que falla una determinada asignaci\u00f3n de memoria. Esto ocurre en xmlUnlinkNode en tree.c. NOTA: la posici\u00f3n del proveedor es \"No creo que estos problemas sean lo suficientemente cr\u00edticos como para justificar un ID CVE... porque un atacante normalmente no puede controlar cu\u00e1ndo fallan las asignaciones de memoria\"."}], "lastModified": "2024-08-02T21:15:32.323", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "31459596-1117-4925-A7C3-0D362AD87789", "versionEndIncluding": "2.11.5"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}