Fluid Attacks Database

Description

XML::Parser versions through 2.45 for Perl could overflow the pre-allocated buffer size cause a heap corruption (double free or corruption) and crashes. A :utf8 PerlIO layer, parse_stream() in Expat.xs could overflow the XML input buffer because Perl's read() returns decoded characters while SvPV() gives back multi-byte UTF-8 bytes that can exceed the pre-allocated buffer size. This can cause heap corruption (double free or corruption) and crashes.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	libxml-parser-perl	>=0 <2.46-1	2.46-1
debian 12	libxml-parser-perl	>=0 <2.46-1	2.46-1
rpm rhel9	perl-XML-Parser	<0:2.46-9.1.el9_7	0:2.46-9.1.el9_7
rpm rhel7	perl-XML-Parser	-	-
rpm rhel8	perl-XML-Parser	<0:2.44-12.el8_10	0:2.44-12.el8_10
debian 14	libxml-parser-perl	>=0 <2.46-1	2.46-1
debian 13	libxml-parser-perl	>=0 <2.46-1	2.46-1
rpm rhel10	perl-XML-Parser	<0:2.47-6.1.el10_1	0:2.47-6.1.el10_1
rpm rhel6	perl-XML-Parser	-	-
rpm rhel8.4	perl-XML-Parser	<0:2.44-11.el8_4.1	0:2.44-11.el8_4.1

1-10 of 13

Aliases

1. CVE-2006-100022. NVD-2006-100023. OSV-DEBIAN-2006-100024. OSV-2006-100025. SECURITY-TRACKER-CVE-2006-10002

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.