search

MidnightBSD / src

MidnightBSD OS source code
https://www.midnightbsd.org/
Other
55 stars 6 forks source link

CVE-2024-28757 (High) detected in libexpatR_2_5_0 #207

Closed mend-bolt-for-github[bot] closed 7 months ago

mend-bolt-for-github[bot] commented 8 months ago

CVE-2024-28757 - High Severity Vulnerability

Vulnerable Library - libexpatR_2_5_0

:herb: Fast streaming XML parser written in C99; migrated from SourceForge to GitHub

Library home page: https://github.com/libexpat/libexpat.git

Found in HEAD commit: 816463d989cc5839c1cca2efb5bf2503408507fb

Found in base branches: stable/3.1, master

Vulnerable Source Files (1)

/contrib/expat/lib/xmlparse.c

Vulnerability Details

libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).

Publish Date: 2024-03-10

URL: CVE-2024-28757

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-28757

Release Date: 2024-03-10

Fix Resolution: R_2_6_2

Step up your Open Source Security Game with Mend here

laffer1 commented 7 months ago

Fixed in 66112a93a35e10eea93cce84dfa4c514fac49791 and 801af9dbb4c87366e326007e4a43b1bc68edf887

laffer1 commented 7 months ago

Actually we only updated to 2.6.0...

laffer1 commented 7 months ago

updated to 2.6.2 in 801af9dbb4c87366e326007e4a43b1bc68edf887