Strix
26.1K

CVE-2014-3660

UnknownEPSS 4.02%

Last modified

CVE-2014-3660 is a vulnerability of currently unknown severity. parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the "billion laughs" attack.. EPSS estimates a 4.02% chance of exploitation in the next 30 days.

Description

parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the "billion laughs" attack.

Metrics

EPSS Probability
4.02%

89.3th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

VendorProductVersions
XmlsoftLibxml2<= 2.9.1
XmlsoftLibxml22.0.0
XmlsoftLibxml22.1.0
XmlsoftLibxml22.1.1
XmlsoftLibxml22.2.0
XmlsoftLibxml22.2.1
XmlsoftLibxml22.2.2
XmlsoftLibxml22.2.3
XmlsoftLibxml22.2.4
XmlsoftLibxml22.2.5
XmlsoftLibxml22.2.6
XmlsoftLibxml22.2.7
XmlsoftLibxml22.2.8
XmlsoftLibxml22.2.9
XmlsoftLibxml22.2.10
XmlsoftLibxml22.2.11
XmlsoftLibxml22.3.0
XmlsoftLibxml22.3.1
XmlsoftLibxml22.3.2
XmlsoftLibxml22.3.3
XmlsoftLibxml22.3.4
XmlsoftLibxml22.3.5
XmlsoftLibxml22.3.6
XmlsoftLibxml22.3.7
XmlsoftLibxml22.3.8
XmlsoftLibxml22.3.9
XmlsoftLibxml22.3.10
XmlsoftLibxml22.3.11
XmlsoftLibxml22.3.12
XmlsoftLibxml22.3.13
XmlsoftLibxml22.3.14
XmlsoftLibxml22.4.1
XmlsoftLibxml22.4.2
XmlsoftLibxml22.4.3
XmlsoftLibxml22.4.4
XmlsoftLibxml22.4.5
XmlsoftLibxml22.4.6
XmlsoftLibxml22.4.7
XmlsoftLibxml22.4.8
XmlsoftLibxml22.4.9
XmlsoftLibxml22.4.10
XmlsoftLibxml22.4.11
XmlsoftLibxml22.4.12
XmlsoftLibxml22.4.13
XmlsoftLibxml22.4.14
XmlsoftLibxml22.4.15
XmlsoftLibxml22.4.16
XmlsoftLibxml22.4.17
XmlsoftLibxml22.4.18
XmlsoftLibxml22.4.19

Showing 50 of 114 affected configurations. See NVD for the full list.

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2014-3660?
parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the "billion laughs" attack.
How severe is CVE-2014-3660?
Severity scoring for CVE-2014-3660 is pending analysis. The EPSS model estimates a 4.02% probability of exploitation in the next 30 days.
How do I fix CVE-2014-3660?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2014-3660?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST