CVE-2020-7595

Name: CVE-2020-7595
Creator: NVD / NIST
Published: 2020-01-21T23:15:13.867+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 7.84%

Last modified Jun 17, 2026

CVE-2020-7595 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.. EPSS estimates a 7.84% chance of exploitation in the next 30 days.

Description

xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

7.84%

93.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Xmlsoft	Libxml2	2.9.10
Fedoraproject	Fedora	30
Fedoraproject	Fedora	31
Fedoraproject	Fedora	32
Canonical	Ubuntu Linux	12.04
Canonical	Ubuntu Linux	14.04
Canonical	Ubuntu Linux	16.04
Canonical	Ubuntu Linux	18.04
Canonical	Ubuntu Linux	19.10
Debian	Debian Linux	9.0
Siemens	Sinema Remote Connect Server	< 3.0
Netapp	Clustered Data Ontap	All versions
Netapp	Smi-S Provider	All versions
Netapp	Snapdrive	All versions
Netapp	Steelstore Cloud Integrated Storage	All versions
Netapp	Symantec Netbackup	All versions
Netapp	H300s Firmware	All versions
Netapp	H500s Firmware	All versions
Netapp	H700s Firmware	All versions
Netapp	H300e Firmware	All versions
Netapp	H500e Firmware	All versions
Netapp	H700e Firmware	All versions
Netapp	H410s Firmware	All versions
Netapp	H410c Firmware	All versions
Oracle	Real User Experience Insight	13.3.1.0
Oracle	Communications Cloud Native Core Network Function Cloud Native Environment	1.10.0
Oracle	Enterprise Manager Base Platform	13.4.0.0
Oracle	Enterprise Manager Base Platform	13.5.0.0
Oracle	Enterprise Manager Ops Center	12.4.0.0
Oracle	Mysql Workbench	<= 8.0.26
Oracle	Peoplesoft Enterprise Peopletools	8.58
Oracle	Real User Experience Insight	13.4.1.0
Oracle	Real User Experience Insight	13.5.1.0

References

http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00047.htmlBroken Link
https://cert-portal.siemens.com/productcert/pdf/ssa-292794.pdfThird Party Advisory
https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c89076Patch, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/09/msg00009.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5R55ZR52RMBX24TQTWHCIWKJVRV6YAWI/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JDPF3AAVKUAKDYFMFKSIQSVVS3EEFPQH/
https://security.gentoo.org/glsa/202010-04Third Party Advisory
https://security.netapp.com/advisory/ntap-20200702-0005/Third Party Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-21-103-08Third Party Advisory, US Government Resource
https://usn.ubuntu.com/4274-1/Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.htmlThird Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00047.htmlBroken Link
https://cert-portal.siemens.com/productcert/pdf/ssa-292794.pdfThird Party Advisory
https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c89076Patch, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/09/msg00009.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5R55ZR52RMBX24TQTWHCIWKJVRV6YAWI/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JDPF3AAVKUAKDYFMFKSIQSVVS3EEFPQH/
https://security.gentoo.org/glsa/202010-04Third Party Advisory
https://security.netapp.com/advisory/ntap-20200702-0005/Third Party Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-21-103-08Third Party Advisory, US Government Resource
https://usn.ubuntu.com/4274-1/Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.htmlThird Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory

Timeline

Published: Jan 21, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-7595?

xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.

How severe is CVE-2020-7595?

CVE-2020-7595 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 7.84% probability of exploitation in the next 30 days.

How do I fix CVE-2020-7595?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-7595?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST