CVE-2023-34411

The xml-rs crate before 0.8.14 for Rust and Crab allows a denial of service (panic) via an invalid <! token (such as <!DOCTYPEs/%<!A nesting) in an XML document. The earliest affected version is 0.8.9.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 63%
Affected Products (NVD)
VendorProductVersion
xml_library_projectxml_library
𝑥
< 0.8.14
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
rust-xml-rs
bookworm
0.8.3-1
fixed
bullseye
0.8.3-1
fixed
sid
0.8.19-1
fixed
trixie
0.8.19-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
rust-xml-rs
bionic
ignored
focal
needs-triage
jammy
needs-triage
kinetic
ignored
lunar
ignored
mantic
ignored
noble
needs-triage
oracular
needs-triage
trusty
ignored
xenial
ignored
Azure Linux logo
Azure Linux Releases
Azure Package
Release
mozjs60
CBL-Mariner 1.0
0:60.9.0-13.cm1
fixed