CVE-2009-1885

EUVD-2009-1880
Stack consumption vulnerability in validators/DTD/DTDScanner.cpp in Apache Xerces C++ 2.7.0 and 2.8.0 allows context-dependent attackers to cause a denial of service (application crash) via vectors involving nested parentheses and invalid byte values in "simply nested DTD structures," as demonstrated by the Codenomicon XML fuzzing framework.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:N/I:N/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 94%
Affected Products (NVD)
VendorProductVersion
apachexerces-c\+\+
2.7.0
apachexerces-c\+\+
2.8.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
xerces-c
bookworm
3.2.4+debian-1
fixed
bullseye
3.2.3+debian-3+deb11u1
fixed
etch
no-dsa
lenny
no-dsa
sid
3.2.4+debian-1.3
fixed
trixie
3.2.4+debian-1.3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
xerces-c2
dapper
dne
hardy
dne
intrepid
ignored
jaunty
ignored
karmic
ignored
lucid
not-affected
maverick
not-affected
natty
not-affected
Common Weakness Enumeration
References
http://secunia.com/advisories/36201
http://svn.apache.org/viewvc/xerces/c/trunk/src/xercesc/validators/DTD/DTDScanner.cpp?r1=781488&r2=781487&pathrev=781488&view=patch
http://svn.apache.org/viewvc?view=rev&revision=781488
http://www.cert.fi/en/reports/2009/vulnerability2009085.html
http://www.codenomicon.com/labs/xml/
http://www.mandriva.com/security/advisories?name=MDVSA-2009:223
http://www.networkworld.com/columnists/2009/080509-xml-flaw.html
http://www.securityfocus.com/bid/35986
http://www.vupen.com/english/advisories/2009/2196
https://bugzilla.redhat.com/show_bug.cgi?id=515515
https://exchange.xforce.ibmcloud.com/vulnerabilities/52321
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01001.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01099.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01136.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01150.html
http://secunia.com/advisories/36201
http://svn.apache.org/viewvc/xerces/c/trunk/src/xercesc/validators/DTD/DTDScanner.cpp?r1=781488&r2=781487&pathrev=781488&view=patch
http://svn.apache.org/viewvc?view=rev&revision=781488
http://www.cert.fi/en/reports/2009/vulnerability2009085.html
http://www.codenomicon.com/labs/xml/
http://www.mandriva.com/security/advisories?name=MDVSA-2009:223
http://www.networkworld.com/columnists/2009/080509-xml-flaw.html
http://www.securityfocus.com/bid/35986
http://www.vupen.com/english/advisories/2009/2196
https://bugzilla.redhat.com/show_bug.cgi?id=515515
https://exchange.xforce.ibmcloud.com/vulnerabilities/52321
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01001.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01099.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01136.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01150.html