Fluid Attacks Database

Description

Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file. NOTE: the vendor's position is that the product does not support the legacy SAX1 interface with custom callbacks; there is a crash even without crafted input.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
nuget	libxml2.vc140_xp.mt.static.x86	>=0 <=2.11.0	-
debian 11	libxml2	=2.9.10+dfsg-6.7 \|\| =2.9.10+dfsg-6.7+deb11u1 \|\| =2.9.10+dfsg-6.7+deb11u2 \|\| =2.9.10+dfsg-6.7+deb11u3 \|\| =2.9.10+dfsg-6.7+deb11u4 \|\| =2.9.10+dfsg-6.7+deb11u5 \|\| >=0 <2.9.10+dfsg-6.7+deb11u6	2.9.10+dfsg-6.7+deb11u6
debian 12	libxml2	=2.9.14+dfsg-1.2 \|\| =2.9.14+dfsg-1.3~deb12u1 \|\| >=0 <2.9.14+dfsg-1.3~deb12u2	2.9.14+dfsg-1.3~deb12u2
debian 13	libxml2	>=0 <2.12.7+dfsg+really2.9.14-1	2.12.7+dfsg+really2.9.14-1
debian 14	libxml2	>=0 <2.12.7+dfsg+really2.9.14-1	2.12.7+dfsg+really2.9.14-1
nuget	libxml2	>=0 <=2.11.0	-
rpm rhel8.8	libxml2	<0:2.9.7-16.el8_8.2	0:2.9.7-16.el8_8.2
rpm rhel9	libxml2	<0:2.9.13-5.el9_3	0:2.9.13-5.el9_3
rpm rhel6	libxml2	-	-
rpm rhel7	libxml2	-	-

1-10 of 12

Aliases

1. CVE-2023-396152. NVD-2023-396153. OSV-2023-396154. OSV-DEBIAN-2023-396155. GCVE-2023-396156. SECURITY-TRACKER-CVE-2023-39615

References

1. https://gitlab.gnome.org/GNOME/libxml2/-/issues/535

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.