gsd-2017-16932
Vulnerability from gsd
Modified
2018-01-29 00:00
Details
The version of libxml2 packaged with Nokogiri contains a vulnerability. Nokogiri has mitigated these issue by upgrading to libxml 2.9.5. Wei Lei discovered that libxml2 incorrecty handled certain parameter entities. An attacker could use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service.
Aliases
Aliases



{
  "GSD": {
    "alias": "CVE-2017-16932",
    "description": "parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities.",
    "id": "GSD-2017-16932",
    "references": [
      "https://www.suse.com/security/cve/CVE-2017-16932.html",
      "https://ubuntu.com/security/CVE-2017-16932",
      "https://advisories.mageia.org/CVE-2017-16932.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "nokogiri",
            "purl": "pkg:gem/nokogiri"
          }
        }
      ],
      "aliases": [
        "CVE-2017-16932"
      ],
      "details": "The version of libxml2 packaged with Nokogiri contains a\nvulnerability. Nokogiri has mitigated these issue by upgrading to\nlibxml 2.9.5.\n\nWei Lei discovered that libxml2 incorrecty handled certain parameter\nentities. An attacker could use this issue with specially constructed XML\ndata to cause libxml2 to consume resources, leading to a denial of service.\n",
      "id": "GSD-2017-16932",
      "modified": "2018-01-29T00:00:00.000Z",
      "published": "2018-01-29T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/sparklemotion/nokogiri/issues/1714"
        },
        {
          "type": "WEB",
          "url": "https://usn.ubuntu.com/usn/usn-3504-1/"
        },
        {
          "type": "WEB",
          "url": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16932.html"
        }
      ],
      "schema_version": "1.4.0",
      "summary": "Nokogiri gem, via libxml, is affected by DoS vulnerabilities"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2017-16932",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://blog.clamav.net/2018/07/clamav-01001-has-been-released.html",
            "refsource": "CONFIRM",
            "url": "https://blog.clamav.net/2018/07/clamav-01001-has-been-released.html"
          },
          {
            "name": "[debian-lts-announce] 20171130 [SECURITY] [DLA 1194-1] libxml2 security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2017/11/msg00041.html"
          },
          {
            "name": "http://xmlsoft.org/news.html",
            "refsource": "CONFIRM",
            "url": "http://xmlsoft.org/news.html"
          },
          {
            "name": "USN-3739-1",
            "refsource": "UBUNTU",
            "url": "https://usn.ubuntu.com/3739-1/"
          },
          {
            "name": "https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961",
            "refsource": "CONFIRM",
            "url": "https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961"
          },
          {
            "name": "https://bugzilla.gnome.org/show_bug.cgi?id=759579",
            "refsource": "CONFIRM",
            "url": "https://bugzilla.gnome.org/show_bug.cgi?id=759579"
          },
          {
            "name": "[bookkeeper-issues] 20210628 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E"
          },
          {
            "name": "[bookkeeper-issues] 20210629 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E"
          },
          {
            "name": "[debian-lts-announce] 20220408 [SECURITY] [DLA 2972-1] libxml2 security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html"
          }
        ]
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2017-16932",
      "date": "2018-01-29",
      "description": "The version of libxml2 packaged with Nokogiri contains a\nvulnerability. Nokogiri has mitigated these issue by upgrading to\nlibxml 2.9.5.\n\nWei Lei discovered that libxml2 incorrecty handled certain parameter\nentities. An attacker could use this issue with specially constructed XML\ndata to cause libxml2 to consume resources, leading to a denial of service.\n",
      "gem": "nokogiri",
      "patched_versions": [
        "\u003e= 1.8.1"
      ],
      "related": {
        "url": [
          "https://usn.ubuntu.com/usn/usn-3504-1/",
          "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16932.html"
        ]
      },
      "title": "Nokogiri gem, via libxml, is affected by DoS vulnerabilities",
      "url": "https://github.com/sparklemotion/nokogiri/issues/1714"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c1.8.1",
          "affected_versions": "All versions before 1.8.1",
          "credit": "Wei Lei",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-835",
            "CWE-937"
          ],
          "date": "2019-10-02",
          "description": "The library libxml2, which is included in nokogiri, incorrectly handles certain parameter entities. An attacker can leverage this with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service.",
          "fixed_versions": [
            "1.8.1"
          ],
          "identifier": "CVE-2017-16932",
          "identifiers": [
            "CVE-2017-16932"
          ],
          "not_impacted": "All versions starting from 1.8.1",
          "package_slug": "gem/nokogiri",
          "pubdate": "2017-11-23",
          "solution": "Upgrade to version 1.8.1 or above.",
          "title": "Infinite recursion in parameter entities",
          "urls": [
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16932",
            "https://github.com/sparklemotion/nokogiri/issues/1714",
            "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16932.html",
            "https://usn.ubuntu.com/usn/usn-3504-1/"
          ],
          "uuid": "6a0d56f6-2441-492a-9b14-edb95ac31919"
        },
        {
          "affected_range": "(,2.9.4]",
          "affected_versions": "All versions up to 2.9.4",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-835",
            "CWE-937"
          ],
          "date": "2021-06-29",
          "description": "parser.c in libxml2 does not prevent infinite recursion in parameter entities.",
          "fixed_versions": [],
          "identifier": "CVE-2017-16932",
          "identifiers": [
            "CVE-2017-16932"
          ],
          "not_impacted": "",
          "package_slug": "nuget/libxml2",
          "pubdate": "2017-11-23",
          "solution": "Unfortunately, there is no solution available yet.",
          "title": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2017-16932"
          ],
          "uuid": "14b6ba29-7973-4c40-9fb5-a07b1812b641"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.9.4",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2017-16932"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-835"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961"
            },
            {
              "name": "https://bugzilla.gnome.org/show_bug.cgi?id=759579",
              "refsource": "CONFIRM",
              "tags": [
                "Permissions Required"
              ],
              "url": "https://bugzilla.gnome.org/show_bug.cgi?id=759579"
            },
            {
              "name": "http://xmlsoft.org/news.html",
              "refsource": "CONFIRM",
              "tags": [
                "Release Notes",
                "Vendor Advisory"
              ],
              "url": "http://xmlsoft.org/news.html"
            },
            {
              "name": "[debian-lts-announce] 20171130 [SECURITY] [DLA 1194-1] libxml2 security update",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.debian.org/debian-lts-announce/2017/11/msg00041.html"
            },
            {
              "name": "https://blog.clamav.net/2018/07/clamav-01001-has-been-released.html",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "https://blog.clamav.net/2018/07/clamav-01001-has-been-released.html"
            },
            {
              "name": "USN-3739-1",
              "refsource": "UBUNTU",
              "tags": [],
              "url": "https://usn.ubuntu.com/3739-1/"
            },
            {
              "name": "[bookkeeper-issues] 20210628 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E"
            },
            {
              "name": "[bookkeeper-issues] 20210629 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E"
            },
            {
              "name": "[debian-lts-announce] 20220408 [SECURITY] [DLA 2972-1] libxml2 security update",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": true,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2022-04-08T23:15Z",
      "publishedDate": "2017-11-23T21:29Z"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.