Heap-based buffer overflow in libxml2 (Alpine package)
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2015-7498 |
| CWE-ID | CWE-122 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
libxml2 (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Heap-based buffer overflow
EUVDB-ID: #VU32388
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2015-7498
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in Heap-based buffer overflow in the xmlParseXmlDecl function in parser.c in libxml2 before 2.9.3. A remote attacker can use unspecified vectors related to extracting errors after an encoding conversion failure. to trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionslibxml2 (Alpine package): 2.9.0-r0 - 2.9.1-r3
External linkshttp://git.alpinelinux.org/aports/commit/?id=0215e6588cf7cdc9ec3c57926af82e79b8366e46
http://git.alpinelinux.org/aports/commit/?id=9e3ec8396214f0ec09a2b5c75e65bbc808013c84
http://git.alpinelinux.org/aports/commit/?id=f084c470893c32a5ab1b765dfe1fa044af19320d
http://git.alpinelinux.org/aports/commit/?id=d43279c37e7c6a85eb14e2879d00bb7d74e9aa45
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
