CVE-2013-0340
Last modified
CVE-2013-0340 is a vulnerability of currently unknown severity. expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.. EPSS estimates a 19.43% chance of exploitation in the next 30 days.
Description
expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Libexpat Project | Libexpat | < 2.4.0 |
| Python | Python | >= 3.6.0, < 3.6.15 |
| Python | Python | >= 3.7.0, < 3.7.12 |
| Python | Python | >= 3.8.0, < 3.8.12 |
| Python | Python | >= 3.9.0, < 3.9.7 |
| Apple | Ipados | < 14.8 |
| Apple | Iphone Os | < 14.8 |
| Apple | Macos | < 11.6 |
| Apple | Tvos | < 15.0 |
| Apple | Watchos | < 8.0 |
References
- http://openwall.com/lists/oss-security/2013/02/22/3Exploit, Mailing List, Third Party Advisory
- http://seclists.org/fulldisclosure/2021/Oct/61Mailing List, Third Party Advisory
- http://seclists.org/fulldisclosure/2021/Oct/62Mailing List, Third Party Advisory
- http://seclists.org/fulldisclosure/2021/Oct/63Mailing List, Third Party Advisory
- http://seclists.org/fulldisclosure/2021/Sep/33Mailing List, Third Party Advisory
- http://seclists.org/fulldisclosure/2021/Sep/34Mailing List, Third Party Advisory
- http://seclists.org/fulldisclosure/2021/Sep/35Mailing List, Third Party Advisory
- http://seclists.org/fulldisclosure/2021/Sep/38Mailing List, Third Party Advisory
- http://seclists.org/fulldisclosure/2021/Sep/39Mailing List, Third Party Advisory
- http://seclists.org/fulldisclosure/2021/Sep/40Mailing List, Third Party Advisory
- http://securitytracker.com/id?1028213Third Party Advisory, VDB Entry
- http://www.openwall.com/lists/oss-security/2013/04/12/6Mailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2021/10/07/4Mailing List, Third Party Advisory
- http://www.osvdb.org/90634Broken Link
- http://www.securityfocus.com/bid/58233Broken Link, Third Party Advisory, VDB Entry
- https://security.gentoo.org/glsa/201701-21Third Party Advisory
- https://support.apple.com/kb/HT212804Third Party Advisory
- https://support.apple.com/kb/HT212805Third Party Advisory
- https://support.apple.com/kb/HT212807Third Party Advisory
- https://support.apple.com/kb/HT212814Third Party Advisory
- https://support.apple.com/kb/HT212815Third Party Advisory
- https://support.apple.com/kb/HT212819Third Party Advisory
- http://openwall.com/lists/oss-security/2013/02/22/3Exploit, Mailing List, Third Party Advisory
- http://seclists.org/fulldisclosure/2021/Oct/61Mailing List, Third Party Advisory
- http://seclists.org/fulldisclosure/2021/Oct/62Mailing List, Third Party Advisory
- http://seclists.org/fulldisclosure/2021/Oct/63Mailing List, Third Party Advisory
- http://seclists.org/fulldisclosure/2021/Sep/33Mailing List, Third Party Advisory
- http://seclists.org/fulldisclosure/2021/Sep/34Mailing List, Third Party Advisory
- http://seclists.org/fulldisclosure/2021/Sep/35Mailing List, Third Party Advisory
- http://seclists.org/fulldisclosure/2021/Sep/38Mailing List, Third Party Advisory
- http://seclists.org/fulldisclosure/2021/Sep/39Mailing List, Third Party Advisory
- http://seclists.org/fulldisclosure/2021/Sep/40Mailing List, Third Party Advisory
- http://securitytracker.com/id?1028213Third Party Advisory, VDB Entry
- http://www.openwall.com/lists/oss-security/2013/04/12/6Mailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2021/10/07/4Mailing List, Third Party Advisory
- http://www.osvdb.org/90634Broken Link
- http://www.securityfocus.com/bid/58233Broken Link, Third Party Advisory, VDB Entry
- https://security.gentoo.org/glsa/201701-21Third Party Advisory
- https://support.apple.com/kb/HT212804Third Party Advisory
- https://support.apple.com/kb/HT212805Third Party Advisory
- https://support.apple.com/kb/HT212807Third Party Advisory
- https://support.apple.com/kb/HT212814Third Party Advisory
- https://support.apple.com/kb/HT212815Third Party Advisory
- https://support.apple.com/kb/HT212819Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2013-0340?
How severe is CVE-2013-0340?
How do I fix CVE-2013-0340?
Are you affected by CVE-2013-0340?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST