CVE-2024-23807

29.02.2024, 01:44

The Apache Xerces C++ XML parser on versions 3.0.0 before 3.2.5 contains a use-after-free error triggered during the scanning of external DTDs.

Users are recommended to upgrade to version 3.2.5 which fixes the issue, or mitigate the issue by disabling DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.

This issue has been disclosed before as CVE-2018-1311, but unfortunately that advisory incorrectly stated the issue would be fixed in version 3.2.3 or 3.2.4.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
apache	CNA	---				---
CISA-ADP	ADP	8.1 HIGH	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 38%

Vendor	Product	Version
apache	xerces-c\+\+	3.0.0 ≤ 𝑥 < 3.2.5

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

xerces-c

plucky	needs-triage
oracular	needs-triage
noble	needs-triage
mantic	ignored
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage
trusty	needs-triage

Known Exploits!

Common Weakness Enumeration

CWE-416 - Use After Free
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

References

https://github.com/apache/xerces-c/pull/54

https://lists.apache.org/thread/c497tgn864tsbm8w0bo3f0d81s07zk9r

https://github.com/apache/xerces-c/pull/54

https://lists.apache.org/thread/c497tgn864tsbm8w0bo3f0d81s07zk9r