Open mend-for-github-com[bot] opened 1 year ago
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
Vulnerable Library - mlvv1.2.1
MLV Library
Library home page: https://git.savannah.gnu.org/git/mlv.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Vulnerable Source Files (3)
/release/src/router/libxml2/encoding.c /release/src/router/libxml2/encoding.c /release/src/router/libxml2/encoding.c
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2016-4658
### Vulnerable Library - mlvv1.2.1MLV Library
Library home page: https://git.savannah.gnu.org/git/mlv.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (3)/release/src/router/libxml2/xpointer.c /release/src/router/libxml2/xpointer.c /release/src/router/libxml2/xpointer.c
### Vulnerability Detailsxpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document.
Publish Date: 2016-09-25
URL: CVE-2016-4658
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4658
Release Date: 2016-09-25
Fix Resolution: v2.9.5-rc1
CVE-2017-7376
### Vulnerable Library - mlvv1.2.1MLV Library
Library home page: https://git.savannah.gnu.org/git/mlv.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (3)/release/src/router/libxml2/nanohttp.c /release/src/router/libxml2/nanohttp.c /release/src/router/libxml2/nanohttp.c
### Vulnerability DetailsBuffer overflow in libxml2 allows remote attackers to execute arbitrary code by leveraging an incorrect limit for port values when handling redirects.
Publish Date: 2018-02-19
URL: CVE-2017-7376
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: http://www.securityfocus.com/bid/98877
Release Date: 2018-02-19
Fix Resolution: libxml2-2.9.4-r3
CVE-2016-4448
### Vulnerable Libraries - mlvv1.2.1, mlvv1.2.1, mlvv1.2.1Format string vulnerability in libxml2 before 2.9.4 allows attackers to have unspecified impact via format string specifiers in unknown vectors.
Publish Date: 2016-06-09
URL: CVE-2016-4448
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4448
Release Date: 2016-06-09
Fix Resolution: v2.9.4
CVE-2015-8710
### Vulnerable Library - mlvv1.2.1MLV Library
Library home page: https://git.savannah.gnu.org/git/mlv.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (3)/release/src/router/libxml2/HTMLparser.c /release/src/router/libxml2/HTMLparser.c /release/src/router/libxml2/HTMLparser.c
### Vulnerability DetailsThe htmlParseComment function in HTMLparser.c in libxml2 allows attackers to obtain sensitive information, cause a denial of service (out-of-bounds heap memory access and application crash), or possibly have unspecified other impact via an unclosed HTML comment.
Publish Date: 2016-04-11
URL: CVE-2015-8710
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8710
Release Date: 2016-04-11
Fix Resolution: v2.9.3
CVE-2016-5131
### Vulnerable Libraries - mlvv1.2.1, mlvv1.2.1Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function.
Publish Date: 2016-07-23
URL: CVE-2016-5131
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2016-07-23
Fix Resolution: v2.9.5-rc1
CVE-2017-15412
### Vulnerable Library - mlvv1.2.1MLV Library
Library home page: https://git.savannah.gnu.org/git/mlv.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (3)/release/src/router/libxml2/xpath.c /release/src/router/libxml2/xpath.c /release/src/router/libxml2/xpath.c
### Vulnerability DetailsUse after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Publish Date: 2018-08-28
URL: CVE-2017-15412
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/0f3b843b3534784ef57a4f9b874238aa1fda5a73
Release Date: 2018-08-28
Fix Resolution: 2.9.6
CVE-2018-9466
### Vulnerable Libraries - mlvv1.2.1, mlvv1.2.1, mlvv1.2.1, mlvv1.2.1A Remote Code Execution was discovered in libxml2 before version 2.9.8.
Publish Date: 2019-01-01
URL: CVE-2018-9466
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2019-06-16
Fix Resolution: android-9.0.0_r5,android-8.1.0_r45,v2.9.8-rc1
CVE-2021-3518
### Vulnerable Library - mlvv1.2.1MLV Library
Library home page: https://git.savannah.gnu.org/git/mlv.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (3)/release/src/router/libxml2/xinclude.c /release/src/router/libxml2/xinclude.c /release/src/router/libxml2/xinclude.c
### Vulnerability DetailsThere's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.
Publish Date: 2021-05-18
URL: CVE-2021-3518
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3518
Release Date: 2021-05-18
Fix Resolution: libxml2-debuginfo - 2.9.7-9,2.9.7-9;libxml2 - 2.9.7-9,2.9.7-9,2.9.7-9,2.9.7-9,2.9.7-9,2.9.7-9;python3-libxml2-debuginfo - 2.9.7-9,2.9.7-9;python3-libxml2 - 2.9.7-9,2.9.7-9,2.9.7-9,2.9.7-9;libxml2-devel - 2.9.7-9,2.9.7-9,2.9.7-9,2.9.7-9,2.9.7-9;libxml2-debugsource - 2.9.7-9,2.9.7-9
CVE-2017-5130
### Vulnerable Library - mlvv1.2.1MLV Library
Library home page: https://git.savannah.gnu.org/git/mlv.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (3)/release/src/router/libxml2/xmlmemory.c /release/src/router/libxml2/xmlmemory.c /release/src/router/libxml2/xmlmemory.c
### Vulnerability DetailsAn integer overflow in xmlmemory.c in libxml2 before 2.9.5, as used in Google Chrome prior to 62.0.3202.62 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted XML file.
Publish Date: 2018-02-07
URL: CVE-2017-5130
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2018-02-07
Fix Resolution: v2.9.5-rc1
CVE-2021-3517
### Vulnerable Library - mlvv1.2.1MLV Library
Library home page: https://git.savannah.gnu.org/git/mlv.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (2)/release/src/router/libxml2/entities.c /release/src/router/libxml2/entities.c
### Vulnerability DetailsThere is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.
Publish Date: 2021-05-19
URL: CVE-2021-3517
### CVSS 3 Score Details (8.6)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3517
Release Date: 2021-05-19
Fix Resolution: libxml2-debugsource - 2.9.7-9,2.9.7-9;libxml2-debuginfo - 2.9.7-9,2.9.7-9;libxml2 - 2.9.7-9,2.9.7-9,2.9.7-9,2.9.7-9,2.9.7-9,2.9.7-9;python3-libxml2-debuginfo - 2.9.7-9,2.9.7-9;python3-libxml2 - 2.9.7-9,2.9.7-9,2.9.7-9,2.9.7-9;libxml2-devel - 2.9.7-9,2.9.7-9,2.9.7-9,2.9.7-9,2.9.7-9
CVE-2011-0216
### Vulnerable Library - mlvv1.2.1MLV Library
Library home page: https://git.savannah.gnu.org/git/mlv.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (3)/release/src/router/libxml2/encoding.c /release/src/router/libxml2/encoding.c /release/src/router/libxml2/encoding.c
### Vulnerability DetailsOff-by-one error in libxml in Apple Safari before 5.0.6 allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow and application crash) via a crafted web site.
Publish Date: 2011-07-21
URL: CVE-2011-0216
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0216
Release Date: 2011-07-21
Fix Resolution: v2.8.0-rc1
CVE-2011-1944
### Vulnerable Library - mlvv1.2.1MLV Library
Library home page: https://git.savannah.gnu.org/git/mlv.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (3)/release/src/router/libxml2/xpath.c /release/src/router/libxml2/xpath.c /release/src/router/libxml2/xpath.c
### Vulnerability DetailsInteger overflow in xpath.c in libxml2 2.6.x through 2.6.32 and 2.7.x through 2.7.8, and libxml 1.8.16 and earlier, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted XML file that triggers a heap-based buffer overflow when adding a new namespace node, related to handling of XPath expressions.
Publish Date: 2011-09-02
URL: CVE-2011-1944
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2011-09-02
Fix Resolution: v2.8.0-rc1
CVE-2016-1840
### Vulnerable Library - mlvv1.2.1MLV Library
Library home page: https://git.savannah.gnu.org/git/mlv.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (3)/release/src/router/libxml2/xmlregexp.c /release/src/router/libxml2/xmlregexp.c /release/src/router/libxml2/xmlregexp.c
### Vulnerability DetailsHeap-based buffer overflow in the xmlFAParsePosCharGroup function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document.
Publish Date: 2016-05-20
URL: CVE-2016-1840
### CVSS 3 Score Details (7.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2016-05-20
Fix Resolution: v2.9.4
CVE-2016-1834
### Vulnerable Library - mlvv1.2.1MLV Library
Library home page: https://git.savannah.gnu.org/git/mlv.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (3)/release/src/router/libxml2/xmlstring.c /release/src/router/libxml2/xmlstring.c /release/src/router/libxml2/xmlstring.c
### Vulnerability DetailsHeap-based buffer overflow in the xmlStrncat function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document.
Publish Date: 2016-05-20
URL: CVE-2016-1834
### CVSS 3 Score Details (7.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://git.gnome.org/browse/libxml2/commit/?id=8fbbf5513d609c1770b391b99e33314cd0742704
Release Date: 2016-05-20
Fix Resolution: v2.9.4
CVE-2021-3516
### Vulnerable Library - mlvv1.2.1MLV Library
Library home page: https://git.savannah.gnu.org/git/mlv.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (2)/release/src/router/libxml2/xmllint.c /release/src/router/libxml2/xmllint.c
### Vulnerability DetailsThere's a flaw in libxml2's xmllint in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by xmllint could trigger a use-after-free. The greatest impact of this flaw is to confidentiality, integrity, and availability.
Publish Date: 2021-06-01
URL: CVE-2021-3516
### CVSS 3 Score Details (7.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3516
Release Date: 2021-06-01
Fix Resolution: libxml2-debugsource - 2.9.7-9,2.9.7-9;libxml2-debuginfo - 2.9.7-9,2.9.7-9;libxml2 - 2.9.7-9,2.9.7-9,2.9.7-9,2.9.7-9,2.9.7-9,2.9.7-9;python3-libxml2-debuginfo - 2.9.7-9,2.9.7-9;python3-libxml2 - 2.9.7-9,2.9.7-9,2.9.7-9,2.9.7-9;libxml2-devel - 2.9.7-9,2.9.7-9,2.9.7-9,2.9.7-9,2.9.7-9
CVE-2015-8806
### Vulnerable Libraries - mlvv1.2.1, mlvv1.2.1dict.c in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via an unexpected character immediately after the "Publish Date: 2016-04-13
URL: CVE-2015-8806
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://security.gentoo.org/glsa/201701-37
Release Date: 2016-04-13
Fix Resolution: 2.9.4
CVE-2019-20388
### Vulnerable Library - mlvv1.2.1MLV Library
Library home page: https://git.savannah.gnu.org/git/mlv.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (2)/release/src/router/libxml2/xmlschemas.c /release/src/router/libxml2/xmlschemas.c
### Vulnerability DetailsxmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.
Publish Date: 2020-01-21
URL: CVE-2019-20388
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2019-20388
Release Date: 2020-01-21
Fix Resolution: libxml2-python - 2.9.1-6,2.9.1-6,2.9.1-6;libxml2-debugsource - 2.9.7-8,2.9.7-8;libxml2-static - 2.9.1-6,2.9.1-6,2.9.1-6,2.9.1-6,2.9.1-6;libxml2-debuginfo - 2.9.1-6,2.9.1-6,2.9.7-8,2.9.7-8;libxml2 - 2.9.1-6,2.9.7-8,2.9.1-6,2.9.7-8,2.9.1-6,2.9.1-6,2.9.1-6,2.9.7-8,2.9.7-8,2.9.7-8,2.9.7-8,2.9.1-6;python3-libxml2-debuginfo - 2.9.7-8,2.9.7-8;python3-libxml2 - 2.9.7-8,2.9.7-8,2.9.7-8,2.9.7-8;libxml2-devel - 2.9.1-6,2.9.1-6,2.9.7-8,2.9.1-6,2.9.7-8,2.9.7-8,2.9.1-6,2.9.7-8,2.9.1-6,2.9.7-8
CVE-2016-3627
### Vulnerable Library - mlvv1.2.1MLV Library
Library home page: https://git.savannah.gnu.org/git/mlv.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (1)The xmlStringGetNodeList function in tree.c in libxml2 2.9.3 and earlier, when used in recovery mode, allows context-dependent attackers to cause a denial of service (infinite recursion, stack consumption, and application crash) via a crafted XML document.
Publish Date: 2016-05-17
URL: CVE-2016-3627
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3627
Release Date: 2016-05-17
Fix Resolution: v2.9.4
CVE-2017-9047
### Vulnerable Library - mlvv1.2.1MLV Library
Library home page: https://git.savannah.gnu.org/git/mlv.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (3)/release/src/router/libxml2/valid.c /release/src/router/libxml2/valid.c /release/src/router/libxml2/valid.c
### Vulnerability DetailsA buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If the content->type is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content->prefix is appended to buf (if it actually fits) whereupon (ii) content->name is written to the buffer. However, the check for whether the content->name actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write about "size" many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2, such as PHP, to crash.
Publish Date: 2017-05-18
URL: CVE-2017-9047
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9047
Release Date: 2017-05-18
Fix Resolution: 2.9.5
CVE-2017-9048
### Vulnerable Library - mlvv1.2.1MLV Library
Library home page: https://git.savannah.gnu.org/git/mlv.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (3)/release/src/router/libxml2/valid.c /release/src/router/libxml2/valid.c /release/src/router/libxml2/valid.c
### Vulnerability Detailslibxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer overflow. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. At the end of the routine, the function may strcat two more characters without checking whether the current strlen(buf) + 2 < size. This vulnerability causes programs that use libxml2, such as PHP, to crash.
Publish Date: 2017-05-18
URL: CVE-2017-9048
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9047
Release Date: 2017-05-18
Fix Resolution: 2.9.5
CVE-2018-14404
### Vulnerable Library - mlvv1.2.1MLV Library
Library home page: https://git.savannah.gnu.org/git/mlv.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (3)/release/src/router/libxml2/xpath.c /release/src/router/libxml2/xpath.c /release/src/router/libxml2/xpath.c
### Vulnerability DetailsA NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application.
Publish Date: 2018-07-19
URL: CVE-2018-14404
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2018-07-19
Fix Resolution: nokogiri- 2.9.5, libxml2 - 2.9.9
CVE-2022-23308
### Vulnerable Library - mlvv1.2.1MLV Library
Library home page: https://git.savannah.gnu.org/git/mlv.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (3)/release/src/router/libxml2/valid.c /release/src/router/libxml2/valid.c /release/src/router/libxml2/valid.c
### Vulnerability Detailsvalid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes.
Publish Date: 2022-02-26
URL: CVE-2022-23308
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://mail.gnome.org/archives/xml/2022-February/msg00015.html
Release Date: 2022-02-26
Fix Resolution: v2.9.13
CVE-2016-4483
### Vulnerable Library - mlvv1.2.1MLV Library
Library home page: https://git.savannah.gnu.org/git/mlv.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (1)/release/src/router/libxml2/xmlsave.c
### Vulnerability DetailsThe xmlBufAttrSerializeTxtContent function in xmlsave.c in libxml2 allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a non-UTF-8 attribute value, related to serialization. NOTE: this vulnerability may be a duplicate of CVE-2016-3627.
Publish Date: 2017-04-11
URL: CVE-2016-4483
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/deta?il?vulnId=CVE-2016-4483
Release Date: 2017-04-11
Fix Resolution: v2.9.4
CVE-2010-4494
### Vulnerable Library - mlvv1.2.1MLV Library
Library home page: https://git.savannah.gnu.org/git/mlv.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (3)/release/src/router/libxml2/xpath.c /release/src/router/libxml2/xpath.c /release/src/router/libxml2/xpath.c
### Vulnerability DetailsDouble free vulnerability in libxml2 2.7.8 and other versions, as used in Google Chrome before 8.0.552.215 and other products, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to XPath handling.
Publish Date: 2010-12-07
URL: CVE-2010-4494
### CVSS 3 Score Details (7.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4494
Release Date: 2010-12-07
Fix Resolution: 9.0.589.0