Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2014-0191 |
CWE-ID | CWE-20 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
libxml2 (Alpine package) Operating systems & Components / Operating system package or component |
Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
EUVDB-ID: #VU33820
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2014-0191
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The xmlParserHandlePEReference function in parser.c in libxml2 before 2.9.2, as used in Web Listener in Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products, loads external parameter entities regardless of whether entity substitution or validation is enabled, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML document.
MitigationInstall update from vendor's website.
Vulnerable software versionslibxml2 (Alpine package): 2.9.0-r0 - 2.9.0-r3
External linkshttp://git.alpinelinux.org/aports/commit/?id=0215e6588cf7cdc9ec3c57926af82e79b8366e46
http://git.alpinelinux.org/aports/commit/?id=9e3ec8396214f0ec09a2b5c75e65bbc808013c84
http://git.alpinelinux.org/aports/commit/?id=07c1580cc3dc9496f9f7a6ae25fbdd3ef22caee3
http://git.alpinelinux.org/aports/commit/?id=13e59ed69b9459e1ef4534ee2f34e5f94fb99232
http://git.alpinelinux.org/aports/commit/?id=3906599673a7cd93e56c2d8a998148a07a343a4c
http://git.alpinelinux.org/aports/commit/?id=9693e42051fbaf1fea977ea0098f3818925f256e
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.