CVE-2022-23308

valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 16%
VendorProductVersion
xmlsoftlibxml2
𝑥
< 2.9.13
debiandebian_linux
9.0
appleipados
𝑥
< 15.5
appleiphone_os
𝑥
< 15.5
applemac_os_x
10.15.0 ≤
𝑥
< 10.15.7
applemac_os_x
10.15.7
applemac_os_x
10.15.7:security_update_2020-001
applemac_os_x
10.15.7:security_update_2021-001
applemac_os_x
10.15.7:security_update_2021-002
applemac_os_x
10.15.7:security_update_2021-003
applemac_os_x
10.15.7:security_update_2021-004
applemac_os_x
10.15.7:security_update_2021-005
applemac_os_x
10.15.7:security_update_2021-006
applemac_os_x
10.15.7:security_update_2021-007
applemac_os_x
10.15.7:security_update_2021-008
applemac_os_x
10.15.7:security_update_2022-001
applemac_os_x
10.15.7:security_update_2022-003
applemacos
11.6.0 ≤
𝑥
< 11.6.6
applemacos
12.0 ≤
𝑥
< 12.4
appletvos
𝑥
< 15.5
applewatchos
𝑥
< 8.6
netappactive_iq_unified_manager
-
netappclustered_data_ontap
-
netappclustered_data_ontap_antivirus_connector
-
netappmanageability_software_development_kit
-
netappontap_select_deploy_administration_utility
-
netappsmi-s_provider
-
netappsnapdrive
-
netappsnapmanager
-
netappsolidfire\,_enterprise_sds_\&_hci_storage_node
-
netappsolidfire_\&_hci_management_node
-
netappbootstrap_os
-
netapph300s_firmware
-
netapph500s_firmware
-
netapph700s_firmware
-
netapph300e_firmware
-
netapph500e_firmware
-
netapph700e_firmware
-
netapph410s_firmware
-
netapph410c_firmware
-
oraclecommunications_cloud_native_core_binding_support_function
22.2.0
oraclecommunications_cloud_native_core_network_function_cloud_native_environment
22.1.0
oraclecommunications_cloud_native_core_network_repository_function
22.1.2
oraclecommunications_cloud_native_core_network_repository_function
22.2.0
oraclecommunications_cloud_native_core_network_slice_selection_function
22.1.1
oraclecommunications_cloud_native_core_unified_data_repository
22.2.0
oraclemysql_workbench
𝑥
≤ 8.0.29
oraclezfs_storage_appliance_kit
8.8
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libxml2
bullseye
2.9.10+dfsg-6.7+deb11u4
fixed
bullseye (security)
2.9.10+dfsg-6.7+deb11u5
fixed
bookworm
2.9.14+dfsg-1.3~deb12u1
fixed
sid
2.12.7+dfsg+really2.9.14-0.1
fixed
trixie
2.12.7+dfsg+really2.9.14-0.1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libxml2
jammy
not-affected
impish
Fixed 2.9.12+dfsg-4ubuntu0.1
released
focal
Fixed 2.9.10+dfsg-5ubuntu0.20.04.2
released
bionic
Fixed 2.9.4+dfsg1-6.1ubuntu1.5
released
xenial
Fixed 2.9.3+dfsg1-1ubuntu0.7+esm2
released
trusty
Fixed 2.9.1+dfsg1-3ubuntu4.13+esm3
released
Common Weakness Enumeration
References
http://seclists.org/fulldisclosure/2022/May/33
http://seclists.org/fulldisclosure/2022/May/34
http://seclists.org/fulldisclosure/2022/May/35
http://seclists.org/fulldisclosure/2022/May/36
http://seclists.org/fulldisclosure/2022/May/37
http://seclists.org/fulldisclosure/2022/May/38
https://github.com/GNOME/libxml2/commit/652dd12a858989b14eed4e84e453059cd3ba340e
https://gitlab.gnome.org/GNOME/libxml2/-/blob/v2.9.13/NEWS
https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LA3MWWAYZADWJ5F6JOUBX65UZAMQB7RF/
https://security.gentoo.org/glsa/202210-03
https://security.netapp.com/advisory/ntap-20220331-0008/
https://support.apple.com/kb/HT213253
https://support.apple.com/kb/HT213254
https://support.apple.com/kb/HT213255
https://support.apple.com/kb/HT213256
https://support.apple.com/kb/HT213257
https://support.apple.com/kb/HT213258
https://www.oracle.com/security-alerts/cpujul2022.html
http://seclists.org/fulldisclosure/2022/May/33
http://seclists.org/fulldisclosure/2022/May/34
http://seclists.org/fulldisclosure/2022/May/35
http://seclists.org/fulldisclosure/2022/May/36
http://seclists.org/fulldisclosure/2022/May/37
http://seclists.org/fulldisclosure/2022/May/38
https://github.com/GNOME/libxml2/commit/652dd12a858989b14eed4e84e453059cd3ba340e
https://gitlab.gnome.org/GNOME/libxml2/-/blob/v2.9.13/NEWS
https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LA3MWWAYZADWJ5F6JOUBX65UZAMQB7RF/
https://security.gentoo.org/glsa/202210-03
https://security.netapp.com/advisory/ntap-20220331-0008/
https://support.apple.com/kb/HT213253
https://support.apple.com/kb/HT213254
https://support.apple.com/kb/HT213255
https://support.apple.com/kb/HT213256
https://support.apple.com/kb/HT213257
https://support.apple.com/kb/HT213258
https://www.oracle.com/security-alerts/cpujul2022.html