CVE-2013-1864
Last modified
CVE-2013-1864 is a vulnerability of currently unknown severity. The Portable Tool Library (aka PTLib) before 2.10.10, as used in Ekiga before 4.0.1, does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted PXML document containing a large number of nested entity references, aka a "billion laughs attack.". EPSS estimates a 2.85% chance of exploitation in the next 30 days.
Description
The Portable Tool Library (aka PTLib) before 2.10.10, as used in Ekiga before 4.0.1, does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted PXML document containing a large number of nested entity references, aka a "billion laughs attack."
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Opalvoip | Portable Tool Library | 2.10.1 | — |
| Opalvoip | Portable Tool Library | 2.10.2 | — |
| Opalvoip | Portable Tool Library | 2.10.7 | — |
| Opalvoip | Portable Tool Library | 2.10.9 | — |
| Ekiga | Ekiga | <= 4.0.0 | — |
| Suse | Suse Linux Enterprise Software Development Kit | 11.0 | Sp3 |
| Suse | Suse Linux Enterprise Desktop | 11.0 | Sp3 |
References
- http://sourceforge.net/p/opalvoip/code/28856Exploit, Patch
- http://www.ekiga.org/news/2013-02-21/ekiga-4.0.1-stable-availablePatch, Vendor Advisory
- http://sourceforge.net/p/opalvoip/code/28856Exploit, Patch
- http://www.ekiga.org/news/2013-02-21/ekiga-4.0.1-stable-availablePatch, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2013-1864?
How severe is CVE-2013-1864?
How do I fix CVE-2013-1864?
Are you affected by CVE-2013-1864?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST