CVE-2013-0340

CVSS V2 Medium 6.8 CVSS V3 None
Description
expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.
Overview
  • CVE ID
  • CVE-2013-0340
  • Assigner
  • secalert@redhat.com
  • Vulnerability Status
  • Modified
  • Published Version
  • 2014-01-21T18:55:09
  • Last Modified Date
  • 2023-02-13T04:41:10
Weakness Enumerations
CWE URL
CWE-611 http://cwe.mitre.org/data/definitions/611.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:* 1 OR 2.4.0
cpe:2.3:a:python:python:*:*:*:*:*:*:*:* 1 OR 3.6.0 3.6.15
cpe:2.3:a:python:python:*:*:*:*:*:*:*:* 1 OR 3.7.0 3.7.12
cpe:2.3:a:python:python:*:*:*:*:*:*:*:* 1 OR 3.8.0 3.8.12
cpe:2.3:a:python:python:*:*:*:*:*:*:*:* 1 OR 3.9.0 3.9.7
cpe:2.3:o:apple:ipad_os:*:*:*:*:*:*:*:* 1 OR 14.8
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:* 1 OR 14.8
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:* 1 OR 11.6
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:* 1 OR 15.0
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:* 1 OR 8.0
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:M/Au:N/C:P/I:P/A:P
  • Access Vector
  • NETWORK
  • Access Compatibility
  • MEDIUM
  • Authentication
  • NONE
  • Confidentiality Impact
  • PARTIAL
  • Integrity Impact
  • PARTIAL
  • Availability Impact
  • PARTIAL
  • Base Score
  • 6.8
  • Severity
  • MEDIUM
  • Exploitability Score
  • 8.6
  • Impact Score
  • 6.4
References
Reference URL Reference Tags
http://openwall.com/lists/oss-security/2013/02/22/3 Exploit Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2013/04/12/6 Mailing List Third Party Advisory
http://www.osvdb.org/90634 Broken Link
http://securitytracker.com/id?1028213 Third Party Advisory VDB Entry
http://www.securityfocus.com/bid/58233 Broken Link Third Party Advisory VDB Entry
https://security.gentoo.org/glsa/201701-21 Third Party Advisory
https://support.apple.com/kb/HT212814
https://support.apple.com/kb/HT212815
https://support.apple.com/kb/HT212819
https://support.apple.com/kb/HT212807
https://support.apple.com/kb/HT212804
https://support.apple.com/kb/HT212805
http://seclists.org/fulldisclosure/2021/Sep/39
http://seclists.org/fulldisclosure/2021/Sep/38
http://seclists.org/fulldisclosure/2021/Sep/35
http://seclists.org/fulldisclosure/2021/Sep/34
http://seclists.org/fulldisclosure/2021/Sep/33
http://seclists.org/fulldisclosure/2021/Sep/40
https://lists.apache.org/thread.html/r41eca5f4f09e74436cbb05dec450fc2bef37b5d3e966aa7cc5fada6d@%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/rfb2c193360436e230b85547e85a41bea0916916f96c501f5b6fc4702@%3Cusers.openoffice.apache.org%3E
http://www.openwall.com/lists/oss-security/2021/10/07/4
http://seclists.org/fulldisclosure/2021/Oct/61
http://seclists.org/fulldisclosure/2021/Oct/63
http://seclists.org/fulldisclosure/2021/Oct/62
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2013-0340
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0340
History
Created Old Value New Value Data Type Notes
2022-05-10 06:49:29 Added to TrackCVE
2022-12-01 21:38:24 2014-01-21T18:55Z 2014-01-21T18:55:09 CVE Published Date updated
2022-12-01 21:38:24 2022-07-05T18:57:23 CVE Modified Date updated
2022-12-01 21:38:24 Analyzed Vulnerability Status updated
2023-01-09 17:04:52 2023-01-09T16:41:59 CVE Modified Date updated
2023-02-13 05:06:21 2023-02-13T04:41:10 CVE Modified Date updated
2023-02-13 05:06:21 Analyzed Modified Vulnerability Status updated
2023-02-13 05:06:22 expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE. expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE. Description updated