#VU45692 Resource management error in Libxml2 and NaviServer


Published: 2020-08-14

Vulnerability identifier: #VU45692

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2012-0841

CWE-ID: CWE-399

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Libxml2
Universal components / Libraries / Libraries used by multiple products
NaviServer
Server applications / Web servers

Vendor: Gnome Development Team
NaviServer

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources with the application. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

NaviServer : 2.0.0 - 2.7.8

External links
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660846
http://git.gnome.org/browse/libxml2/commit/?id=8973d58b7498fa5100a876815476b81fd1a2412a
http://lists.apple.com/archives/security-announce/2013/Oct/msg00009.html
http://lists.apple.com/archives/security-announce/2013/Sep/msg00006.html
http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00002.html
http://rhn.redhat.com/errata/RHSA-2012-0324.html
http://rhn.redhat.com/errata/RHSA-2013-0217.html
http://secunia.com/advisories/54886
http://secunia.com/advisories/55568
http://securitytracker.com/id?1026723
http://support.apple.com/kb/HT5934
http://support.apple.com/kb/HT6001
http://www.debian.org/security/2012/dsa-2417
http://www.mandriva.com/security/advisories?name=MDVSA-2013:150
http://www.openwall.com/lists/oss-security/2012/02/22/1
http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html
http://www.securityfocus.com/bid/52107
http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf
http://xmlsoft.org/news.html
http://blogs.oracle.com/sunsecurity/entry/cve_2012_0841_denial_of

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Denial of service in libxml2
Gentoo update for libxml2
Amazon Linux AMI update for libxml2
Resource management error in libxml2 (Alpine package)