CVE-2012-3514 - OCaml Xml-Light Library before r234 computes hash values without restricting the ability to trigger

CVE-2012-3514

Summary

OCaml Xml-Light Library before r234 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via unspecified vectors.

References

Vulnerable Configurations

cpe:2.3:a:nicolas_cannasse:ocaml_xml-light_library:r233:*:*:*:*:*:*:*
cpe:2.3:a:nicolas_cannasse:ocaml_xml-light_library:r233:*:*:*:*:*:*:*

CVSS

Base:	5.0 (as of 12-02-2014 - 04:38)
Impact:
Exploitability:

CWE

CWE-310

CAPEC

Signature Spoofing by Key Recreation
An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
NONE	NONE	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:N/I:N/A:P

refmap via4

bid	55114
confirm	https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0266
mandriva	MDVSA-2013:107
mlist	[oss-security] 20120820 ocaml-xml-light: hash table collisions CPU usage DoS CVE-2012-3514
secunia	50311

Last major update

12-02-2014 - 04:38

Published

25-08-2012 - 10:29

Last modified

12-02-2014 - 04:38