Strix
26.1K

CVE-2013-0339

UnknownEPSS 4.42%

Last modified

CVE-2013-0339 is a vulnerability of currently unknown severity. libxml2 through 2.9.1 does not properly handle external entities expansion unless an application developer uses the xmlSAX2ResolveEntity or xmlSetExternalEntityLoader function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because libxml2 already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed and each affected application would need its own CVE.. EPSS estimates a 4.42% chance of exploitation in the next 30 days.

Description

libxml2 through 2.9.1 does not properly handle external entities expansion unless an application developer uses the xmlSAX2ResolveEntity or xmlSetExternalEntityLoader function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because libxml2 already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed and each affected application would need its own CVE.

Metrics

EPSS Probability
4.42%

90.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersionsUpdate
XmlsoftLibxml2<= 2.9.1
XmlsoftLibxml21.7.0
XmlsoftLibxml21.7.1
XmlsoftLibxml21.7.2
XmlsoftLibxml21.7.3
XmlsoftLibxml21.7.4
XmlsoftLibxml21.8.0
XmlsoftLibxml21.8.1
XmlsoftLibxml21.8.2
XmlsoftLibxml21.8.3
XmlsoftLibxml21.8.4
XmlsoftLibxml21.8.5
XmlsoftLibxml21.8.6
XmlsoftLibxml21.8.7
XmlsoftLibxml21.8.9
XmlsoftLibxml21.8.10
XmlsoftLibxml21.8.13
XmlsoftLibxml21.8.14
XmlsoftLibxml21.8.16
XmlsoftLibxml22.0.0
XmlsoftLibxml22.1.0
XmlsoftLibxml22.1.1
XmlsoftLibxml22.2.0
XmlsoftLibxml22.2.1
XmlsoftLibxml22.2.2
XmlsoftLibxml22.2.3
XmlsoftLibxml22.2.4
XmlsoftLibxml22.2.5
XmlsoftLibxml22.2.6
XmlsoftLibxml22.2.7
XmlsoftLibxml22.2.8
XmlsoftLibxml22.2.9
XmlsoftLibxml22.2.10
XmlsoftLibxml22.2.11
XmlsoftLibxml22.3.0
XmlsoftLibxml22.3.1
XmlsoftLibxml22.3.2
XmlsoftLibxml22.3.3
XmlsoftLibxml22.3.4
XmlsoftLibxml22.3.5
XmlsoftLibxml22.3.6
XmlsoftLibxml22.3.7
XmlsoftLibxml22.3.8
XmlsoftLibxml22.3.9
XmlsoftLibxml22.3.10
XmlsoftLibxml22.3.11
XmlsoftLibxml22.3.12
XmlsoftLibxml22.3.13
XmlsoftLibxml22.3.14
XmlsoftLibxml22.4.1

Showing 50 of 133 affected configurations. See NVD for the full list.

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2013-0339?
libxml2 through 2.9.1 does not properly handle external entities expansion unless an application developer uses the xmlSAX2ResolveEntity or xmlSetExternalEntityLoader function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because libxml2 already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed and each affected application would need its own CVE.
How severe is CVE-2013-0339?
Severity scoring for CVE-2013-0339 is pending analysis. The EPSS model estimates a 4.42% probability of exploitation in the next 30 days.
How do I fix CVE-2013-0339?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2013-0339?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST