Home

CVE-2014-3660

Description

parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the billion laughs attack.

Risk Information

Base Score
10.0
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score
Exploitation Probability
4.342

Associated Vulnerability

VulnerabilityOS Platform
Multiple Vulnerabilities are affected in IBM Aspera Shares 1.10.1Windows
Multiple vulnerabilities are fixed in OS X Yosemite 10.10.5 UpdateMac
Multiple vulnerabilities are fixed in OS X Yosemite 10.10.5 Combo UpdateMac
(RHSA-2014:1885) Moderate: libxml2 security update libxml2-2.6.26-2.1.25.el5_11.i386.rpmLinux
(RHSA-2014:1885) Moderate: libxml2 security update libxml2-2.6.26-2.1.25.el5_11.x86_64.rpmLinux
(RHSA-2014:1885) Moderate: libxml2 security update libxml2-devel-2.6.26-2.1.25.el5_11.i386.rpmLinux
(RHSA-2014:1885) Moderate: libxml2 security update libxml2-devel-2.6.26-2.1.25.el5_11.x86_64.rpmLinux
(RHSA-2014:1885) Moderate: libxml2 security update libxml2-python-2.6.26-2.1.25.el5_11.i386.rpmLinux
(RHSA-2014:1885) Moderate: libxml2 security update libxml2-python-2.6.26-2.1.25.el5_11.x86_64.rpmLinux
CVE-2014-3660NCM

Patch Details

Click to see the patches provided by ManageEngine for this CVE
Patch IDPatch Description
PATCH-600354OS X Yosemite 10.10.5 Update
PATCH-600458OS X Yosemite 10.10.5 Combo Update

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234