CVE-2017-7375 - Improper Restriction of XML External Entity Reference

Severity

75%

Complexity

99%

Confidentiality

106%

A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable).

CVSS 3.0 Base Score 9.8. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVSS 2.0 Base Score 7.5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P).

Overview

First reported 7 years ago

2018-02-19 19:29:00

Last updated 6 years ago

2018-03-18 14:17:00

Affected Software

XMLSoft Libxml2

Debian Linux 7.0

7.0

Debian Linux 8.0 (Jessie)

8.0

Debian Linux 9.0

9.0

Google Android Operating System 4.4.4

4.4.4

Google Android 5.0.2

5.0.2

Google Android 5.1.1

5.1.1

Google Android 6.0

6.0

Google Android 6.0.1

6.0.1

Google Android (Nougat) 7.0

7.0

Google Android 7.1.1

7.1.1

Google Android 7.1.2

7.1.2

XMLSoft Libxml2 2.9.4 Release Candidate 1

2.9.4

XMLSoft Libxml2 2.9.4 Release Candidate 2

2.9.4

References

98877

Third Party Advisory, VDB Entry

1038623

Third Party Advisory, VDB Entry

https://android.googlesource.com/platform/external/libxml2/+/308396a55280f69ad4112d4f9892f4cbeff042aa

Patch, Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1462203

Issue Tracking, Patch, Third Party Advisory

https://git.gnome.org/browse/libxml2/commit/?id=90ccb58242866b0ba3edbef8fe44214a101c2b3e