CVE-2021-4249

EUVD-2021-34096
A vulnerability was found in xml-conduit. It has been classified as problematic. Affected is an unknown function of the file xml-conduit/src/Text/XML/Stream/Parse.hs of the component DOCTYPE Entity Expansion Handler. The manipulation leads to infinite loop. It is possible to launch the attack remotely. Upgrading to version 1.9.1.0 is able to address this issue. The name of the patch is 4be1021791dcdee8b164d239433a2043dc0939ea. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-216204.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
VulDBCNA
4.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 72%
Affected Products (NVD)
VendorProductVersion
haskellxml-conduit
𝑥
< 1.9.1.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
haskell-xml-conduit
bookworm
1.9.1.1-2
fixed
bullseye
no-dsa
buster
no-dsa
sid
1.9.1.3-2
fixed
trixie
1.9.1.3-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
haskell-xml-conduit
bionic
needed
focal
needed
jammy
needed
kinetic
not-affected
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
ignored
xenial
needed
Common Weakness Enumeration
References
https://github.com/snoyberg/xml/commit/4be1021791dcdee8b164d239433a2043dc0939ea
https://github.com/snoyberg/xml/pull/161
https://hackage.haskell.org/package/xml-conduit-1.9.1.0
https://vuldb.com/?id.216204
https://github.com/snoyberg/xml/commit/4be1021791dcdee8b164d239433a2043dc0939ea
https://github.com/snoyberg/xml/pull/161
https://hackage.haskell.org/package/xml-conduit-1.9.1.0
https://vuldb.com/?id.216204