An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\0' value).
CVE-2023-29469 - Medium Severity Vulnerability
git://git.savannah.gnu.org/gettext.git
Library home page: https://github.com/autotools-mirror/gettext.git
Found in HEAD commit: 3437ea512d73ad9cae18d692c18facdeea1aa2bc
Found in base branch: master
An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\0' value).
Publish Date: 2023-04-24
URL: CVE-2023-29469
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2023-29469
Release Date: 2023-04-07
Fix Resolution: v2.10.4
Step up your Open Source Security Game with Mend here