CVE-2013-0340

Priority
Description
expat 2.1.0 and earlier does not properly handle entities expansion unless
an application developer uses the XML_SetEntityDeclHandler function, which
allows remote attackers to cause a denial of service (resource
consumption), send HTTP requests to intranet servers, or read arbitrary
files via a crafted XML document, aka an XML External Entity (XXE) issue.
NOTE: it could be argued that because expat already provides the ability to
disable external entity expansion, the responsibility for resolving this
issue lies with application developers; according to this argument, this
entry should be REJECTed, and each affected application would need its own
CVE.
Notes
jdstrandPoC in oss-sec
no upstream commits as of 2013-03-21. Contacted upstream on their
(possibly moderated) expat-bugs mailing list since their bug tracker was
down
still no commits or upstream comments as of 2013-04-23
mdeslaurExpat does not read or parse external entities directly, it is
up to applications to do so.
http://seclists.org/oss-sec/2013/q2/78
marking as ignored, application-specific CVEs should be assigned
to individual applications.
Package
Upstream:ignored
Package
Upstream:ignored
Package
Upstream:ignored
Package
Source: ayttm (LP Ubuntu Debian)
Upstream:ignored
Package
Upstream:ignored
Package
Upstream:ignored
Package
Upstream:ignored
Package
Source: cmake (LP Ubuntu Debian)
Upstream:ignored
Package
Source: coin3 (LP Ubuntu Debian)
Upstream:ignored
Package
Source: expat (LP Ubuntu Debian)
Upstream:ignored
Package
Source: gdcm (LP Ubuntu Debian)
Upstream:ignored
Package
Upstream:ignored
Package
Upstream:ignored
Package
Upstream:ignored
Package
Upstream:ignored
Package
Upstream:ignored
Package
Upstream:ignored
Package
Upstream:ignored
Package
Source: poco (LP Ubuntu Debian)
Upstream:ignored
Package
Upstream:ignored
Package
Upstream:ignored
Package
Upstream:ignored
Package
Upstream:ignored
Package
Upstream:ignored
Package
Upstream:ignored
Package
Source: smart (LP Ubuntu Debian)
Upstream:ignored
Package
Upstream:ignored
Package
Source: tdom (LP Ubuntu Debian)
Upstream:ignored
Package
Upstream:ignored
Package
Source: tla (LP Ubuntu Debian)
Upstream:ignored
Package
Source: vnc4 (LP Ubuntu Debian)
Upstream:ignored
Package
Source: vtk (LP Ubuntu Debian)
Upstream:ignored
Package
Upstream:ignored
Package
Upstream:ignored
Package
Upstream:ignored
Package
Upstream:ignored
Package
Upstream:ignored
Package
Upstream:ignored
Package
Source: xotcl (LP Ubuntu Debian)
Upstream:ignored
Package
Upstream:ignored
More Information

Updated: 2020-01-29 19:45:55 UTC (commit 768ceb2fdee6790d707d0f681e1b54916744af1e)