CVE-2014-3660

parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the "billion laughs" attack.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:N/I:N/A:P
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 88%
VendorProductVersion
xmlsoftlibxml2
𝑥
≤ 2.9.1
xmlsoftlibxml2
2.0.0
xmlsoftlibxml2
2.1.0
xmlsoftlibxml2
2.1.1
xmlsoftlibxml2
2.2.0
xmlsoftlibxml2
2.2.0:beta
xmlsoftlibxml2
2.2.1
xmlsoftlibxml2
2.2.2
xmlsoftlibxml2
2.2.3
xmlsoftlibxml2
2.2.4
xmlsoftlibxml2
2.2.5
xmlsoftlibxml2
2.2.6
xmlsoftlibxml2
2.2.7
xmlsoftlibxml2
2.2.8
xmlsoftlibxml2
2.2.9
xmlsoftlibxml2
2.2.10
xmlsoftlibxml2
2.2.11
xmlsoftlibxml2
2.3.0
xmlsoftlibxml2
2.3.1
xmlsoftlibxml2
2.3.2
xmlsoftlibxml2
2.3.3
xmlsoftlibxml2
2.3.4
xmlsoftlibxml2
2.3.5
xmlsoftlibxml2
2.3.6
xmlsoftlibxml2
2.3.7
xmlsoftlibxml2
2.3.8
xmlsoftlibxml2
2.3.9
xmlsoftlibxml2
2.3.10
xmlsoftlibxml2
2.3.11
xmlsoftlibxml2
2.3.12
xmlsoftlibxml2
2.3.13
xmlsoftlibxml2
2.3.14
xmlsoftlibxml2
2.4.1
xmlsoftlibxml2
2.4.2
xmlsoftlibxml2
2.4.3
xmlsoftlibxml2
2.4.4
xmlsoftlibxml2
2.4.5
xmlsoftlibxml2
2.4.6
xmlsoftlibxml2
2.4.7
xmlsoftlibxml2
2.4.8
xmlsoftlibxml2
2.4.9
xmlsoftlibxml2
2.4.10
xmlsoftlibxml2
2.4.11
xmlsoftlibxml2
2.4.12
xmlsoftlibxml2
2.4.13
xmlsoftlibxml2
2.4.14
xmlsoftlibxml2
2.4.15
xmlsoftlibxml2
2.4.16
xmlsoftlibxml2
2.4.17
xmlsoftlibxml2
2.4.18
xmlsoftlibxml2
2.4.19
xmlsoftlibxml2
2.4.20
xmlsoftlibxml2
2.4.21
xmlsoftlibxml2
2.4.22
xmlsoftlibxml2
2.4.23
xmlsoftlibxml2
2.4.24
xmlsoftlibxml2
2.4.25
xmlsoftlibxml2
2.4.26
xmlsoftlibxml2
2.4.27
xmlsoftlibxml2
2.4.28
xmlsoftlibxml2
2.4.29
xmlsoftlibxml2
2.4.30
xmlsoftlibxml2
2.5.0
xmlsoftlibxml2
2.5.4
xmlsoftlibxml2
2.5.7
xmlsoftlibxml2
2.5.8
xmlsoftlibxml2
2.5.10
xmlsoftlibxml2
2.5.11
xmlsoftlibxml2
2.6.0
xmlsoftlibxml2
2.6.1
xmlsoftlibxml2
2.6.2
xmlsoftlibxml2
2.6.3
xmlsoftlibxml2
2.6.4
xmlsoftlibxml2
2.6.5
xmlsoftlibxml2
2.6.6
xmlsoftlibxml2
2.6.7
xmlsoftlibxml2
2.6.8
xmlsoftlibxml2
2.6.9
xmlsoftlibxml2
2.6.11
xmlsoftlibxml2
2.6.12
xmlsoftlibxml2
2.6.13
xmlsoftlibxml2
2.6.14
xmlsoftlibxml2
2.6.16
xmlsoftlibxml2
2.6.17
xmlsoftlibxml2
2.6.18
xmlsoftlibxml2
2.6.20
xmlsoftlibxml2
2.6.21
xmlsoftlibxml2
2.6.22
xmlsoftlibxml2
2.6.23
xmlsoftlibxml2
2.6.24
xmlsoftlibxml2
2.6.25
xmlsoftlibxml2
2.6.26
xmlsoftlibxml2
2.6.27
xmlsoftlibxml2
2.6.28
xmlsoftlibxml2
2.6.29
xmlsoftlibxml2
2.6.30
xmlsoftlibxml2
2.6.31
xmlsoftlibxml2
2.6.32
xmlsoftlibxml2
2.7.0
xmlsoftlibxml2
2.7.1
xmlsoftlibxml2
2.7.2
xmlsoftlibxml2
2.7.3
xmlsoftlibxml2
2.7.4
xmlsoftlibxml2
2.7.5
xmlsoftlibxml2
2.7.6
xmlsoftlibxml2
2.7.7
xmlsoftlibxml2
2.7.8
xmlsoftlibxml2
2.8.0
xmlsoftlibxml2
2.9.0
xmlsoftlibxml2
2.9.0:rc1
applemac_os_x
𝑥
≤ 10.10.4
canonicalubuntu_linux
10.04
canonicalubuntu_linux
12.04
canonicalubuntu_linux
14.04
debiandebian_linux
7.0
redhatenterprise_linux
5.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libxml2
bullseye
2.9.10+dfsg-6.7+deb11u4
fixed
bullseye (security)
2.9.10+dfsg-6.7+deb11u5
fixed
bookworm
2.9.14+dfsg-1.3~deb12u1
fixed
sid
2.12.7+dfsg+really2.9.14-0.1
fixed
trixie
2.12.7+dfsg+really2.9.14-0.1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libxml2
utopic
Fixed 2.9.1+dfsg1-4ubuntu1
released
trusty
Fixed 2.9.1+dfsg1-3ubuntu4.4
released
precise
Fixed 2.7.8.dfsg-5.1ubuntu4.11
released
lucid
Fixed 2.7.6.dfsg-1ubuntu1.15
released
References
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
http://lists.apple.com/archives/security-announce/2015/Aug/msg00002.html
http://lists.opensuse.org/opensuse-updates/2014-10/msg00034.html
http://lists.opensuse.org/opensuse-updates/2015-12/msg00120.html
http://rhn.redhat.com/errata/RHSA-2014-1655.html
http://rhn.redhat.com/errata/RHSA-2014-1885.html
http://secunia.com/advisories/59903
http://secunia.com/advisories/61965
http://secunia.com/advisories/61966
http://secunia.com/advisories/61991
http://www.debian.org/security/2014/dsa-3057
http://www.mandriva.com/security/advisories?name=MDVSA-2014:244
http://www.openwall.com/lists/oss-security/2014/10/17/7
http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
http://www.securityfocus.com/bid/70644
http://www.ubuntu.com/usn/USN-2389-1
https://bugzilla.redhat.com/attachment.cgi?id=944444&action=diff
https://bugzilla.redhat.com/show_bug.cgi?id=1149084
https://support.apple.com/kb/HT205030
https://support.apple.com/kb/HT205031
https://www.ncsc.nl/actueel/nieuwsberichten/kwetsbaarheid-ontdekt-in-libxml2.html
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
http://lists.apple.com/archives/security-announce/2015/Aug/msg00002.html
http://lists.opensuse.org/opensuse-updates/2014-10/msg00034.html
http://lists.opensuse.org/opensuse-updates/2015-12/msg00120.html
http://rhn.redhat.com/errata/RHSA-2014-1655.html
http://rhn.redhat.com/errata/RHSA-2014-1885.html
http://secunia.com/advisories/59903
http://secunia.com/advisories/61965
http://secunia.com/advisories/61966
http://secunia.com/advisories/61991
http://www.debian.org/security/2014/dsa-3057
http://www.mandriva.com/security/advisories?name=MDVSA-2014:244
http://www.openwall.com/lists/oss-security/2014/10/17/7
http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
http://www.securityfocus.com/bid/70644
http://www.ubuntu.com/usn/USN-2389-1
https://bugzilla.redhat.com/attachment.cgi?id=944444&action=diff
https://bugzilla.redhat.com/show_bug.cgi?id=1149084
https://support.apple.com/kb/HT205030
https://support.apple.com/kb/HT205031
https://www.ncsc.nl/actueel/nieuwsberichten/kwetsbaarheid-ontdekt-in-libxml2.html