cvelistv5 - CVE-2011-1755

URL	Tags
secalert@redhat.com	http://codex.xiaoka.com/svn/jabberd2/tags/jabberd-2.2.14/ChangeLog	Broken Link
secalert@redhat.com	http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html	Mailing List
secalert@redhat.com	http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061341.html	Mailing List
secalert@redhat.com	http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061458.html	Mailing List
secalert@redhat.com	http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061482.html	Mailing List
secalert@redhat.com	http://secunia.com/advisories/44787	Broken Link, Vendor Advisory
secalert@redhat.com	http://secunia.com/advisories/44957	Broken Link
secalert@redhat.com	http://secunia.com/advisories/45112	Broken Link
secalert@redhat.com	http://support.apple.com/kb/HT5002	Third Party Advisory
secalert@redhat.com	http://www.mail-archive.com/jabberd2%40lists.xiaoka.com/msg01655.html	Release Notes
secalert@redhat.com	http://www.redhat.com/support/errata/RHSA-2011-0881.html	Broken Link
secalert@redhat.com	http://www.redhat.com/support/errata/RHSA-2011-0882.html	Broken Link
secalert@redhat.com	http://www.securityfocus.com/bid/48250	Broken Link, Third Party Advisory, VDB Entry
secalert@redhat.com	https://bugzilla.redhat.com/show_bug.cgi?id=700390	Issue Tracking, Patch
secalert@redhat.com	https://exchange.xforce.ibmcloud.com/vulnerabilities/67770	Third Party Advisory, VDB Entry
secalert@redhat.com	https://hermes.opensuse.org/messages/9197650	Broken Link
af854a3a-2127-422b-91ae-364da2661108	http://codex.xiaoka.com/svn/jabberd2/tags/jabberd-2.2.14/ChangeLog	Broken Link
af854a3a-2127-422b-91ae-364da2661108	http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html	Mailing List
af854a3a-2127-422b-91ae-364da2661108	http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061341.html	Mailing List
af854a3a-2127-422b-91ae-364da2661108	http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061458.html	Mailing List
af854a3a-2127-422b-91ae-364da2661108	http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061482.html	Mailing List
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/44787	Broken Link, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/44957	Broken Link
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/45112	Broken Link
af854a3a-2127-422b-91ae-364da2661108	http://support.apple.com/kb/HT5002	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.mail-archive.com/jabberd2%40lists.xiaoka.com/msg01655.html	Release Notes
af854a3a-2127-422b-91ae-364da2661108	http://www.redhat.com/support/errata/RHSA-2011-0881.html	Broken Link
af854a3a-2127-422b-91ae-364da2661108	http://www.redhat.com/support/errata/RHSA-2011-0882.html	Broken Link
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/48250	Broken Link, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.redhat.com/show_bug.cgi?id=700390	Issue Tracking, Patch
af854a3a-2127-422b-91ae-364da2661108	https://exchange.xforce.ibmcloud.com/vulnerabilities/67770	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://hermes.opensuse.org/messages/9197650	Broken Link

ghsa-rpcf-xw9j-7c7j

Vulnerability from github

Published

2022-05-17 01:59

Modified

2024-02-02 15:30

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

jabberd2 before 2.2.14 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2011-1755"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2011-06-21T02:52:00Z",
    "severity": "MODERATE"
  },
  "details": "jabberd2 before 2.2.14 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.",
  "id": "GHSA-rpcf-xw9j-7c7j",
  "modified": "2024-02-02T15:30:27Z",
  "published": "2022-05-17T01:59:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1755"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=700390"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67770"
    },
    {
      "type": "WEB",
      "url": "https://hermes.opensuse.org/messages/9197650"
    },
    {
      "type": "WEB",
      "url": "http://codex.xiaoka.com/svn/jabberd2/tags/jabberd-2.2.14/ChangeLog"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061341.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061458.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061482.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/44787"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/44957"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/45112"
    },
    {
      "type": "WEB",
      "url": "http://support.apple.com/kb/HT5002"
    },
    {
      "type": "WEB",
      "url": "http://www.mail-archive.com/jabberd2%40lists.xiaoka.com/msg01655.html"
    },
    {
      "type": "WEB",
      "url": "http://www.mail-archive.com/jabberd2@lists.xiaoka.com/msg01655.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2011-0881.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2011-0882.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/48250"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

rhsa-2011_0881

Vulnerability from csaf_redhat

Published

2011-06-16 19:18

Modified

2024-11-22 04:27

Summary

Red Hat Security Advisory: Red Hat Network Proxy server jabberd security update

Notes

Topic

An updated jabberd package that fixes one security issue is now available for Red Hat Network Proxy 5.4.1 for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Details

This package provides jabberd 2, an Extensible Messaging and Presence Protocol (XMPP) server used for XML based communication. It was found that the jabberd daemon did not properly detect recursion during entity expansion. A remote attacker could provide a specially-crafted XML file containing a large number of nested entity references, which once processed by the jabberd daemon, could lead to a denial of service (excessive memory and CPU consumption). (CVE-2011-1755) Red Hat would like to thank Nico Golde of the Debian Security Team for reporting this issue. The Debian Security Team acknowledges Wouter Coekaerts as the original reporter. Users of Red Hat Network Proxy 5.4.1 are advised to upgrade to this updated jabberd package, which resolves this issue. For this update to take effect, Red Hat Network Proxy must be restarted. Refer to the Solution section for details.

Terms of Use

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Low"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An updated jabberd package that fixes one security issue is now available\nfor Red Hat Network Proxy 5.4.1 for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having low\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "This package provides jabberd 2, an Extensible Messaging and Presence\nProtocol (XMPP) server used for XML based communication.\n\nIt was found that the jabberd daemon did not properly detect recursion\nduring entity expansion. A remote attacker could provide a\nspecially-crafted XML file containing a large number of nested entity\nreferences, which once processed by the jabberd daemon, could lead to a\ndenial of service (excessive memory and CPU consumption). (CVE-2011-1755)\n\nRed Hat would like to thank Nico Golde of the Debian Security Team for\nreporting this issue. The Debian Security Team acknowledges Wouter\nCoekaerts as the original reporter.\n\nUsers of Red Hat Network Proxy 5.4.1 are advised to upgrade to this updated\njabberd package, which resolves this issue. For this update to take effect,\nRed Hat Network Proxy must be restarted. Refer to the Solution section for\ndetails.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2011:0881",
        "url": "https://access.redhat.com/errata/RHSA-2011:0881"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#low",
        "url": "https://access.redhat.com/security/updates/classification/#low"
      },
      {
        "category": "external",
        "summary": "700390",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=700390"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2011/rhsa-2011_0881.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Network Proxy server jabberd security update",
    "tracking": {
      "current_release_date": "2024-11-22T04:27:42+00:00",
      "generator": {
        "date": "2024-11-22T04:27:42+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2011:0881",
      "initial_release_date": "2011-06-16T19:18:00+00:00",
      "revision_history": [
        {
          "date": "2011-06-16T19:18:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2011-06-16T15:21:35+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T04:27:42+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Satellite Proxy 5.4 (RHEL v.5)",
                "product": {
                  "name": "Red Hat Satellite Proxy 5.4 (RHEL v.5)",
                  "product_id": "5Server-RHNProxy54",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:network_proxy:5.4::el5"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Satellite Proxy"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jabberd-debuginfo-0:2.2.8-12.el5sat.s390x",
                "product": {
                  "name": "jabberd-debuginfo-0:2.2.8-12.el5sat.s390x",
                  "product_id": "jabberd-debuginfo-0:2.2.8-12.el5sat.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jabberd-debuginfo@2.2.8-12.el5sat?arch=s390x"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "jabberd-0:2.2.8-12.el5sat.s390x",
                "product": {
                  "name": "jabberd-0:2.2.8-12.el5sat.s390x",
                  "product_id": "jabberd-0:2.2.8-12.el5sat.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jabberd@2.2.8-12.el5sat?arch=s390x"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jabberd-debuginfo-0:2.2.8-12.el5sat.x86_64",
                "product": {
                  "name": "jabberd-debuginfo-0:2.2.8-12.el5sat.x86_64",
                  "product_id": "jabberd-debuginfo-0:2.2.8-12.el5sat.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jabberd-debuginfo@2.2.8-12.el5sat?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "jabberd-0:2.2.8-12.el5sat.x86_64",
                "product": {
                  "name": "jabberd-0:2.2.8-12.el5sat.x86_64",
                  "product_id": "jabberd-0:2.2.8-12.el5sat.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jabberd@2.2.8-12.el5sat?arch=x86_64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jabberd-debuginfo-0:2.2.8-12.el5sat.i386",
                "product": {
                  "name": "jabberd-debuginfo-0:2.2.8-12.el5sat.i386",
                  "product_id": "jabberd-debuginfo-0:2.2.8-12.el5sat.i386",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jabberd-debuginfo@2.2.8-12.el5sat?arch=i386"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "jabberd-0:2.2.8-12.el5sat.i386",
                "product": {
                  "name": "jabberd-0:2.2.8-12.el5sat.i386",
                  "product_id": "jabberd-0:2.2.8-12.el5sat.i386",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jabberd@2.2.8-12.el5sat?arch=i386"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "i386"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jabberd-0:2.2.8-12.el5sat.src",
                "product": {
                  "name": "jabberd-0:2.2.8-12.el5sat.src",
                  "product_id": "jabberd-0:2.2.8-12.el5sat.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jabberd@2.2.8-12.el5sat?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jabberd-0:2.2.8-12.el5sat.i386 as a component of Red Hat Satellite Proxy 5.4 (RHEL v.5)",
          "product_id": "5Server-RHNProxy54:jabberd-0:2.2.8-12.el5sat.i386"
        },
        "product_reference": "jabberd-0:2.2.8-12.el5sat.i386",
        "relates_to_product_reference": "5Server-RHNProxy54"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jabberd-0:2.2.8-12.el5sat.s390x as a component of Red Hat Satellite Proxy 5.4 (RHEL v.5)",
          "product_id": "5Server-RHNProxy54:jabberd-0:2.2.8-12.el5sat.s390x"
        },
        "product_reference": "jabberd-0:2.2.8-12.el5sat.s390x",
        "relates_to_product_reference": "5Server-RHNProxy54"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jabberd-0:2.2.8-12.el5sat.src as a component of Red Hat Satellite Proxy 5.4 (RHEL v.5)",
          "product_id": "5Server-RHNProxy54:jabberd-0:2.2.8-12.el5sat.src"
        },
        "product_reference": "jabberd-0:2.2.8-12.el5sat.src",
        "relates_to_product_reference": "5Server-RHNProxy54"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jabberd-0:2.2.8-12.el5sat.x86_64 as a component of Red Hat Satellite Proxy 5.4 (RHEL v.5)",
          "product_id": "5Server-RHNProxy54:jabberd-0:2.2.8-12.el5sat.x86_64"
        },
        "product_reference": "jabberd-0:2.2.8-12.el5sat.x86_64",
        "relates_to_product_reference": "5Server-RHNProxy54"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jabberd-debuginfo-0:2.2.8-12.el5sat.i386 as a component of Red Hat Satellite Proxy 5.4 (RHEL v.5)",
          "product_id": "5Server-RHNProxy54:jabberd-debuginfo-0:2.2.8-12.el5sat.i386"
        },
        "product_reference": "jabberd-debuginfo-0:2.2.8-12.el5sat.i386",
        "relates_to_product_reference": "5Server-RHNProxy54"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jabberd-debuginfo-0:2.2.8-12.el5sat.s390x as a component of Red Hat Satellite Proxy 5.4 (RHEL v.5)",
          "product_id": "5Server-RHNProxy54:jabberd-debuginfo-0:2.2.8-12.el5sat.s390x"
        },
        "product_reference": "jabberd-debuginfo-0:2.2.8-12.el5sat.s390x",
        "relates_to_product_reference": "5Server-RHNProxy54"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jabberd-debuginfo-0:2.2.8-12.el5sat.x86_64 as a component of Red Hat Satellite Proxy 5.4 (RHEL v.5)",
          "product_id": "5Server-RHNProxy54:jabberd-debuginfo-0:2.2.8-12.el5sat.x86_64"
        },
        "product_reference": "jabberd-debuginfo-0:2.2.8-12.el5sat.x86_64",
        "relates_to_product_reference": "5Server-RHNProxy54"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2011-1755",
      "discovery_date": "2011-04-27T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "700390"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "jabberd2 before 2.2.14 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jabberd: DoS via the XML \"billion laughs attack\"",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Vulnerable. This issue has been addressed in Red Hat Network Satellite Server v 5.4.1 via RHSA-2011:0882 https://rhn.redhat.com/errata/RHSA-2011-0882.html and in Red Hat Network Proxy Server v5.4.1 via RHSA-2011:0881 https://rhn.redhat.com/errata/RHSA-2011-0881.html. This issue is not planned\nto be fixed in Red Hat Network Satellite Server versions 5.0.2, 5.1.1, 5.2.1, 5.3.0 and not planned to be fixed in Red Hat Network Proxy Server versions 5.0.2, 5.1.1, 5.2.1, and 5.3.0.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "5Server-RHNProxy54:jabberd-0:2.2.8-12.el5sat.i386",
          "5Server-RHNProxy54:jabberd-0:2.2.8-12.el5sat.s390x",
          "5Server-RHNProxy54:jabberd-0:2.2.8-12.el5sat.src",
          "5Server-RHNProxy54:jabberd-0:2.2.8-12.el5sat.x86_64",
          "5Server-RHNProxy54:jabberd-debuginfo-0:2.2.8-12.el5sat.i386",
          "5Server-RHNProxy54:jabberd-debuginfo-0:2.2.8-12.el5sat.s390x",
          "5Server-RHNProxy54:jabberd-debuginfo-0:2.2.8-12.el5sat.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2011-1755"
        },
        {
          "category": "external",
          "summary": "RHBZ#700390",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=700390"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2011-1755",
          "url": "https://www.cve.org/CVERecord?id=CVE-2011-1755"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2011-1755",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1755"
        }
      ],
      "release_date": "2011-05-31T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2011-06-16T19:18:00+00:00",
          "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/kb/docs/DOC-11259\n\nRun the following command to restart the Red Hat Network Proxy server:\n\n# rhn-proxy restart",
          "product_ids": [
            "5Server-RHNProxy54:jabberd-0:2.2.8-12.el5sat.i386",
            "5Server-RHNProxy54:jabberd-0:2.2.8-12.el5sat.s390x",
            "5Server-RHNProxy54:jabberd-0:2.2.8-12.el5sat.src",
            "5Server-RHNProxy54:jabberd-0:2.2.8-12.el5sat.x86_64",
            "5Server-RHNProxy54:jabberd-debuginfo-0:2.2.8-12.el5sat.i386",
            "5Server-RHNProxy54:jabberd-debuginfo-0:2.2.8-12.el5sat.s390x",
            "5Server-RHNProxy54:jabberd-debuginfo-0:2.2.8-12.el5sat.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2011:0881"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "products": [
            "5Server-RHNProxy54:jabberd-0:2.2.8-12.el5sat.i386",
            "5Server-RHNProxy54:jabberd-0:2.2.8-12.el5sat.s390x",
            "5Server-RHNProxy54:jabberd-0:2.2.8-12.el5sat.src",
            "5Server-RHNProxy54:jabberd-0:2.2.8-12.el5sat.x86_64",
            "5Server-RHNProxy54:jabberd-debuginfo-0:2.2.8-12.el5sat.i386",
            "5Server-RHNProxy54:jabberd-debuginfo-0:2.2.8-12.el5sat.s390x",
            "5Server-RHNProxy54:jabberd-debuginfo-0:2.2.8-12.el5sat.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "jabberd: DoS via the XML \"billion laughs attack\""
    }
  ]
}

rhsa-2011_0882

Vulnerability from csaf_redhat

Published

2011-06-16 19:25

Modified

2024-11-22 04:27

Summary

Red Hat Security Advisory: Red Hat Network Satellite server jabberd security update

Notes

Topic

An updated jabberd package that fixes one security issue is now available for Red Hat Network Satellite 5.4.1 for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Details

This package provides jabberd 2, an Extensible Messaging and Presence Protocol (XMPP) server used for XML based communication. It was found that the jabberd daemon did not properly detect recursion during entity expansion. A remote attacker could provide a specially-crafted XML file containing a large number of nested entity references, which once processed by the jabberd daemon, could lead to a denial of service (excessive memory and CPU consumption). (CVE-2011-1755) Red Hat would like to thank Nico Golde of the Debian Security Team for reporting this issue. The Debian Security Team acknowledges Wouter Coekaerts as the original reporter. Users of Red Hat Network Satellite 5.4.1 are advised to upgrade to this updated jabberd package, which resolves this issue. For this update to take effect, Red Hat Network Satellite must be restarted. Refer to the Solution section for details.

Terms of Use

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Low"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An updated jabberd package that fixes one security issue is now available\nfor Red Hat Network Satellite 5.4.1 for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having low\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "This package provides jabberd 2, an Extensible Messaging and Presence\nProtocol (XMPP) server used for XML based communication.\n\nIt was found that the jabberd daemon did not properly detect recursion\nduring entity expansion. A remote attacker could provide a\nspecially-crafted XML file containing a large number of nested entity\nreferences, which once processed by the jabberd daemon, could lead to a\ndenial of service (excessive memory and CPU consumption). (CVE-2011-1755)\n\nRed Hat would like to thank Nico Golde of the Debian Security Team for\nreporting this issue. The Debian Security Team acknowledges Wouter\nCoekaerts as the original reporter.\n\nUsers of Red Hat Network Satellite 5.4.1 are advised to upgrade to this\nupdated jabberd package, which resolves this issue. For this update to take\neffect, Red Hat Network Satellite must be restarted. Refer to the Solution\nsection for details.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2011:0882",
        "url": "https://access.redhat.com/errata/RHSA-2011:0882"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#low",
        "url": "https://access.redhat.com/security/updates/classification/#low"
      },
      {
        "category": "external",
        "summary": "700390",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=700390"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2011/rhsa-2011_0882.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Network Satellite server jabberd security update",
    "tracking": {
      "current_release_date": "2024-11-22T04:27:46+00:00",
      "generator": {
        "date": "2024-11-22T04:27:46+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2011:0882",
      "initial_release_date": "2011-06-16T19:25:00+00:00",
      "revision_history": [
        {
          "date": "2011-06-16T19:25:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2011-06-16T15:34:43+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T04:27:46+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Satellite 5.4 (RHEL v.5)",
                "product": {
                  "name": "Red Hat Satellite 5.4 (RHEL v.5)",
                  "product_id": "5Server-Satellite54",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:network_satellite:5.4::el5"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Satellite"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jabberd-debuginfo-0:2.2.8-12.el5sat.s390x",
                "product": {
                  "name": "jabberd-debuginfo-0:2.2.8-12.el5sat.s390x",
                  "product_id": "jabberd-debuginfo-0:2.2.8-12.el5sat.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jabberd-debuginfo@2.2.8-12.el5sat?arch=s390x"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "jabberd-0:2.2.8-12.el5sat.s390x",
                "product": {
                  "name": "jabberd-0:2.2.8-12.el5sat.s390x",
                  "product_id": "jabberd-0:2.2.8-12.el5sat.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jabberd@2.2.8-12.el5sat?arch=s390x"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jabberd-debuginfo-0:2.2.8-12.el5sat.x86_64",
                "product": {
                  "name": "jabberd-debuginfo-0:2.2.8-12.el5sat.x86_64",
                  "product_id": "jabberd-debuginfo-0:2.2.8-12.el5sat.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jabberd-debuginfo@2.2.8-12.el5sat?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "jabberd-0:2.2.8-12.el5sat.x86_64",
                "product": {
                  "name": "jabberd-0:2.2.8-12.el5sat.x86_64",
                  "product_id": "jabberd-0:2.2.8-12.el5sat.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jabberd@2.2.8-12.el5sat?arch=x86_64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jabberd-debuginfo-0:2.2.8-12.el5sat.i386",
                "product": {
                  "name": "jabberd-debuginfo-0:2.2.8-12.el5sat.i386",
                  "product_id": "jabberd-debuginfo-0:2.2.8-12.el5sat.i386",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jabberd-debuginfo@2.2.8-12.el5sat?arch=i386"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "jabberd-0:2.2.8-12.el5sat.i386",
                "product": {
                  "name": "jabberd-0:2.2.8-12.el5sat.i386",
                  "product_id": "jabberd-0:2.2.8-12.el5sat.i386",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jabberd@2.2.8-12.el5sat?arch=i386"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "i386"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jabberd-0:2.2.8-12.el5sat.src",
                "product": {
                  "name": "jabberd-0:2.2.8-12.el5sat.src",
                  "product_id": "jabberd-0:2.2.8-12.el5sat.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jabberd@2.2.8-12.el5sat?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jabberd-0:2.2.8-12.el5sat.i386 as a component of Red Hat Satellite 5.4 (RHEL v.5)",
          "product_id": "5Server-Satellite54:jabberd-0:2.2.8-12.el5sat.i386"
        },
        "product_reference": "jabberd-0:2.2.8-12.el5sat.i386",
        "relates_to_product_reference": "5Server-Satellite54"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jabberd-0:2.2.8-12.el5sat.s390x as a component of Red Hat Satellite 5.4 (RHEL v.5)",
          "product_id": "5Server-Satellite54:jabberd-0:2.2.8-12.el5sat.s390x"
        },
        "product_reference": "jabberd-0:2.2.8-12.el5sat.s390x",
        "relates_to_product_reference": "5Server-Satellite54"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jabberd-0:2.2.8-12.el5sat.src as a component of Red Hat Satellite 5.4 (RHEL v.5)",
          "product_id": "5Server-Satellite54:jabberd-0:2.2.8-12.el5sat.src"
        },
        "product_reference": "jabberd-0:2.2.8-12.el5sat.src",
        "relates_to_product_reference": "5Server-Satellite54"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jabberd-0:2.2.8-12.el5sat.x86_64 as a component of Red Hat Satellite 5.4 (RHEL v.5)",
          "product_id": "5Server-Satellite54:jabberd-0:2.2.8-12.el5sat.x86_64"
        },
        "product_reference": "jabberd-0:2.2.8-12.el5sat.x86_64",
        "relates_to_product_reference": "5Server-Satellite54"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jabberd-debuginfo-0:2.2.8-12.el5sat.i386 as a component of Red Hat Satellite 5.4 (RHEL v.5)",
          "product_id": "5Server-Satellite54:jabberd-debuginfo-0:2.2.8-12.el5sat.i386"
        },
        "product_reference": "jabberd-debuginfo-0:2.2.8-12.el5sat.i386",
        "relates_to_product_reference": "5Server-Satellite54"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jabberd-debuginfo-0:2.2.8-12.el5sat.s390x as a component of Red Hat Satellite 5.4 (RHEL v.5)",
          "product_id": "5Server-Satellite54:jabberd-debuginfo-0:2.2.8-12.el5sat.s390x"
        },
        "product_reference": "jabberd-debuginfo-0:2.2.8-12.el5sat.s390x",
        "relates_to_product_reference": "5Server-Satellite54"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jabberd-debuginfo-0:2.2.8-12.el5sat.x86_64 as a component of Red Hat Satellite 5.4 (RHEL v.5)",
          "product_id": "5Server-Satellite54:jabberd-debuginfo-0:2.2.8-12.el5sat.x86_64"
        },
        "product_reference": "jabberd-debuginfo-0:2.2.8-12.el5sat.x86_64",
        "relates_to_product_reference": "5Server-Satellite54"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2011-1755",
      "discovery_date": "2011-04-27T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "700390"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "jabberd2 before 2.2.14 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jabberd: DoS via the XML \"billion laughs attack\"",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Vulnerable. This issue has been addressed in Red Hat Network Satellite Server v 5.4.1 via RHSA-2011:0882 https://rhn.redhat.com/errata/RHSA-2011-0882.html and in Red Hat Network Proxy Server v5.4.1 via RHSA-2011:0881 https://rhn.redhat.com/errata/RHSA-2011-0881.html. This issue is not planned\nto be fixed in Red Hat Network Satellite Server versions 5.0.2, 5.1.1, 5.2.1, 5.3.0 and not planned to be fixed in Red Hat Network Proxy Server versions 5.0.2, 5.1.1, 5.2.1, and 5.3.0.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "5Server-Satellite54:jabberd-0:2.2.8-12.el5sat.i386",
          "5Server-Satellite54:jabberd-0:2.2.8-12.el5sat.s390x",
          "5Server-Satellite54:jabberd-0:2.2.8-12.el5sat.src",
          "5Server-Satellite54:jabberd-0:2.2.8-12.el5sat.x86_64",
          "5Server-Satellite54:jabberd-debuginfo-0:2.2.8-12.el5sat.i386",
          "5Server-Satellite54:jabberd-debuginfo-0:2.2.8-12.el5sat.s390x",
          "5Server-Satellite54:jabberd-debuginfo-0:2.2.8-12.el5sat.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2011-1755"
        },
        {
          "category": "external",
          "summary": "RHBZ#700390",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=700390"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2011-1755",
          "url": "https://www.cve.org/CVERecord?id=CVE-2011-1755"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2011-1755",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1755"
        }
      ],
      "release_date": "2011-05-31T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2011-06-16T19:25:00+00:00",
          "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/kb/docs/DOC-11259\n\nRun the following command to restart the Red Hat Network Satellite\nserver:\n\n# rhn-satellite restart",
          "product_ids": [
            "5Server-Satellite54:jabberd-0:2.2.8-12.el5sat.i386",
            "5Server-Satellite54:jabberd-0:2.2.8-12.el5sat.s390x",
            "5Server-Satellite54:jabberd-0:2.2.8-12.el5sat.src",
            "5Server-Satellite54:jabberd-0:2.2.8-12.el5sat.x86_64",
            "5Server-Satellite54:jabberd-debuginfo-0:2.2.8-12.el5sat.i386",
            "5Server-Satellite54:jabberd-debuginfo-0:2.2.8-12.el5sat.s390x",
            "5Server-Satellite54:jabberd-debuginfo-0:2.2.8-12.el5sat.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2011:0882"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "products": [
            "5Server-Satellite54:jabberd-0:2.2.8-12.el5sat.i386",
            "5Server-Satellite54:jabberd-0:2.2.8-12.el5sat.s390x",
            "5Server-Satellite54:jabberd-0:2.2.8-12.el5sat.src",
            "5Server-Satellite54:jabberd-0:2.2.8-12.el5sat.x86_64",
            "5Server-Satellite54:jabberd-debuginfo-0:2.2.8-12.el5sat.i386",
            "5Server-Satellite54:jabberd-debuginfo-0:2.2.8-12.el5sat.s390x",
            "5Server-Satellite54:jabberd-debuginfo-0:2.2.8-12.el5sat.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "jabberd: DoS via the XML \"billion laughs attack\""
    }
  ]
}

gsd-2011-1755

Vulnerability from gsd

Modified

2023-12-13 01:19

Details

jabberd2 before 2.2.14 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

Aliases

CVE-2011-1755

Aliases

CVE-2011-1755

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2011-1755",
    "description": "jabberd2 before 2.2.14 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.",
    "id": "GSD-2011-1755",
    "references": [
      "https://www.suse.com/security/cve/CVE-2011-1755.html",
      "https://access.redhat.com/errata/RHSA-2011:0882",
      "https://access.redhat.com/errata/RHSA-2011:0881"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2011-1755"
      ],
      "details": "jabberd2 before 2.2.14 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.",
      "id": "GSD-2011-1755",
      "modified": "2023-12-13T01:19:08.160775Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2011-1755",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "jabberd2 before 2.2.14 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "jabberd-xml-entity-dos(67770)",
            "refsource": "XF",
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67770"
          },
          {
            "name": "http://codex.xiaoka.com/svn/jabberd2/tags/jabberd-2.2.14/ChangeLog",
            "refsource": "CONFIRM",
            "url": "http://codex.xiaoka.com/svn/jabberd2/tags/jabberd-2.2.14/ChangeLog"
          },
          {
            "name": "44957",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/44957"
          },
          {
            "name": "44787",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/44787"
          },
          {
            "name": "APPLE-SA-2011-10-12-3",
            "refsource": "APPLE",
            "url": "http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html"
          },
          {
            "name": "FEDORA-2011-7801",
            "refsource": "FEDORA",
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061341.html"
          },
          {
            "name": "RHSA-2011:0881",
            "refsource": "REDHAT",
            "url": "http://www.redhat.com/support/errata/RHSA-2011-0881.html"
          },
          {
            "name": "SUSE-SU-2011:0741",
            "refsource": "SUSE",
            "url": "https://hermes.opensuse.org/messages/9197650"
          },
          {
            "name": "https://bugzilla.redhat.com/show_bug.cgi?id=700390",
            "refsource": "CONFIRM",
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=700390"
          },
          {
            "name": "FEDORA-2011-7805",
            "refsource": "FEDORA",
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061458.html"
          },
          {
            "name": "RHSA-2011:0882",
            "refsource": "REDHAT",
            "url": "http://www.redhat.com/support/errata/RHSA-2011-0882.html"
          },
          {
            "name": "48250",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/48250"
          },
          {
            "name": "FEDORA-2011-7818",
            "refsource": "FEDORA",
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061482.html"
          },
          {
            "name": "http://support.apple.com/kb/HT5002",
            "refsource": "CONFIRM",
            "url": "http://support.apple.com/kb/HT5002"
          },
          {
            "name": "45112",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/45112"
          },
          {
            "name": "[jabberd2] 20110531 jabberd-2.2.14 release",
            "refsource": "MLIST",
            "url": "http://www.mail-archive.com/jabberd2@lists.xiaoka.com/msg01655.html"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:jabberd2:jabberd2:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "DC2DB6CB-509C-45D5-B29E-A08DFF8B641D",
                    "versionEndExcluding": "2.2.14",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:fedoraproject:fedora:13:*:*:*:*:*:*:*",
                    "matchCriteriaId": "A2D59BD0-43DE-4E58-A057-640AB98359A6",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:fedoraproject:fedora:14:*:*:*:*:*:*:*",
                    "matchCriteriaId": "BDE52846-24EC-4068-B788-EC7F915FFF11",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:fedoraproject:fedora:15:*:*:*:*:*:*:*",
                    "matchCriteriaId": "9396E005-22D8-4342-9323-C7DEA379191D",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "5472AEFC-EA25-49B1-AA2B-8405099B4FBE",
                    "versionEndExcluding": "10.6.8",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "5465D904-D83E-4350-B44B-A3322B113928",
                    "versionEndExcluding": "10.7.2",
                    "versionStartIncluding": "10.7.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:apple:mac_os_x_server:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "BD16A092-B263-400F-BD7E-94DEB5D57EDB",
                    "versionEndExcluding": "10.6.8",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:apple:mac_os_x_server:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "C567AE9D-603E-4B37-9BCF-7305033D6561",
                    "versionEndExcluding": "10.7.2",
                    "versionStartIncluding": "10.7.0",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "jabberd2 before 2.2.14 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564."
          },
          {
            "lang": "es",
            "value": "jabberd2 antes de v2.2.14 no detecta correctamente la recursividad durante la expansi\u00f3n de la entidad, lo que permite a atacantes remotos provocar una denegaci\u00f3n de servicio ( consumo de memoria y CPU ) a trav\u00e9s de un documento XML manipulado que contiene un gran n\u00famero de referencias a entidades anidadas, un problema similar a CVE-2003-1564."
          }
        ],
        "id": "CVE-2011-1755",
        "lastModified": "2024-02-02T15:01:55.253",
        "metrics": {
          "cvssMetricV2": [
            {
              "acInsufInfo": false,
              "baseSeverity": "MEDIUM",
              "cvssData": {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "availabilityImpact": "PARTIAL",
                "baseScore": 5.0,
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
                "version": "2.0"
              },
              "exploitabilityScore": 10.0,
              "impactScore": 2.9,
              "obtainAllPrivilege": false,
              "obtainOtherPrivilege": false,
              "obtainUserPrivilege": false,
              "source": "nvd@nist.gov",
              "type": "Primary",
              "userInteractionRequired": false
            }
          ],
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 3.6,
              "source": "nvd@nist.gov",
              "type": "Primary"
            }
          ]
        },
        "published": "2011-06-21T02:52:43.373",
        "references": [
          {
            "source": "secalert@redhat.com",
            "tags": [
              "Broken Link"
            ],
            "url": "http://codex.xiaoka.com/svn/jabberd2/tags/jabberd-2.2.14/ChangeLog"
          },
          {
            "source": "secalert@redhat.com",
            "tags": [
              "Mailing List"
            ],
            "url": "http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html"
          },
          {
            "source": "secalert@redhat.com",
            "tags": [
              "Mailing List"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061341.html"
          },
          {
            "source": "secalert@redhat.com",
            "tags": [
              "Mailing List"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061458.html"
          },
          {
            "source": "secalert@redhat.com",
            "tags": [
              "Mailing List"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061482.html"
          },
          {
            "source": "secalert@redhat.com",
            "tags": [
              "Broken Link",
              "Vendor Advisory"
            ],
            "url": "http://secunia.com/advisories/44787"
          },
          {
            "source": "secalert@redhat.com",
            "tags": [
              "Broken Link"
            ],
            "url": "http://secunia.com/advisories/44957"
          },
          {
            "source": "secalert@redhat.com",
            "tags": [
              "Broken Link"
            ],
            "url": "http://secunia.com/advisories/45112"
          },
          {
            "source": "secalert@redhat.com",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "http://support.apple.com/kb/HT5002"
          },
          {
            "source": "secalert@redhat.com",
            "tags": [
              "Release Notes"
            ],
            "url": "http://www.mail-archive.com/jabberd2%40lists.xiaoka.com/msg01655.html"
          },
          {
            "source": "secalert@redhat.com",
            "tags": [
              "Broken Link"
            ],
            "url": "http://www.redhat.com/support/errata/RHSA-2011-0881.html"
          },
          {
            "source": "secalert@redhat.com",
            "tags": [
              "Broken Link"
            ],
            "url": "http://www.redhat.com/support/errata/RHSA-2011-0882.html"
          },
          {
            "source": "secalert@redhat.com",
            "tags": [
              "Broken Link",
              "Third Party Advisory",
              "VDB Entry"
            ],
            "url": "http://www.securityfocus.com/bid/48250"
          },
          {
            "source": "secalert@redhat.com",
            "tags": [
              "Issue Tracking",
              "Patch"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=700390"
          },
          {
            "source": "secalert@redhat.com",
            "tags": [
              "Third Party Advisory",
              "VDB Entry"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67770"
          },
          {
            "source": "secalert@redhat.com",
            "tags": [
              "Broken Link"
            ],
            "url": "https://hermes.opensuse.org/messages/9197650"
          }
        ],
        "sourceIdentifier": "secalert@redhat.com",
        "vulnStatus": "Analyzed",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-776"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

CVE-2011-1755

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature

Action not permitted

CVE-2011-1755

Vulnerability from cvelistv5

ghsa-rpcf-xw9j-7c7j

Vulnerability from github

rhsa-2011_0881

Vulnerability from csaf_redhat

rhsa-2011_0882

Vulnerability from csaf_redhat

gsd-2011-1755

Vulnerability from gsd

Tags

Sightings

Nomenclature