An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\0' value).
CVE-2023-29469 - Medium Severity Vulnerability
Library home page: https://chromium.googlesource.com/chromium/src
Found in HEAD commit: 15b744adda384be966bd6bcc52d9830c8bab440a
Found in base branch: master
An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\0' value).
Publish Date: 2023-04-24
URL: CVE-2023-29469
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2023-29469
Release Date: 2023-04-07
Fix Resolution: v2.10.4
Step up your Open Source Security Game with Mend here