#VU60733 Input validation error


Published: 2022-02-21 | Updated: 2022-06-17

Vulnerability identifier: #VU60733

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-25236

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
expat
Universal components / Libraries / Libraries used by multiple products

Vendor: libexpat.org

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper protection against insertion of namesep characters into namespace URIs in xmlparse.c. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

expat: 1.95.0 - 2.4.4


CPE

External links
http://github.com/libexpat/libexpat/pull/561
http://www.openwall.com/lists/oss-security/2022/02/19/1


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability