ID CVE-2015-3451
Summary The _clone function in XML::LibXML before 2.0119 does not properly set the expand_entities option, which allows remote attackers to conduct XML external entity (XXE) attacks via crafted XML data to the (1) new or (2) load_xml function.
References
Vulnerable Configurations
  • cpe:2.3:a:xml-libxml_project:xml-libxml:0.91:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:0.91:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:0.92:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:0.92:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:0.96:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:0.96:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:1.30:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:1.30:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:1.40:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:1.40:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:1.70:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:1.70:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:1.71:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:1.71:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:1.72:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:1.72:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:1.73:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:1.73:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:1.74:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:1.74:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:1.75:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:1.75:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:1.76:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:1.76:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:1.77:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:1.77:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:1.78:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:1.78:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:1.79:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:1.79:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:1.80:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:1.80:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:1.81:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:1.81:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:1.82:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:1.82:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:1.83:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:1.83:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:1.84:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:1.84:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:1.85:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:1.85:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:1.86:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:1.86:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:1.87:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:1.87:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:1.88:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:1.88:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:1.89:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:1.89:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:1.90:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:1.90:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:1.91:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:1.91:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:1.92:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:1.92:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:1.93:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:1.93:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:1.94:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:1.94:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:1.95:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:1.95:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:1.96:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:1.96:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:1.97:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:1.97:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:1.98:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:1.98:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:1.99:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:1.99:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0000:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0000:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0001:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0001:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0002:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0002:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0003:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0003:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0004:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0004:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0005:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0005:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0006:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0006:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0007:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0007:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0008:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0008:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0009:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0009:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0010:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0010:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0011:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0011:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0012:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0012:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0015:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0015:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0016:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0016:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0017:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0017:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0018:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0018:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0019:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0019:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0100:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0100:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0101:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0101:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0102:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0102:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0103:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0103:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0104:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0104:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0105:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0105:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0106:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0106:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0107:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0107:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0108:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0108:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0109:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0109:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0110:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0110:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0111:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0111:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0112:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0112:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0113:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0113:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0114:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0114:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0115:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0115:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0116:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0116:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0117:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0117:*:*:*:*:perl:*:*
  • cpe:2.3:a:xml-libxml_project:xml-libxml:2.0118:*:*:*:*:perl:*:*
    cpe:2.3:a:xml-libxml_project:xml-libxml:2.0118:*:*:*:*:perl:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*
  • cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
    cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
  • cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*
    cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 29-04-2020 - 13:17)
Impact:
Exploitability:
CWE CWE-611
CAPEC
  • XML External Entities Blowup
    This attack takes advantage of the entity replacement property of XML where the value of the replacement is a URI. A well-crafted XML document could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:N/A:N
refmap via4
bid 74333
confirm
debian DSA-3243
fedora
  • FEDORA-2015-7115
  • FEDORA-2015-7258
mandriva MDVSA-2015:231
mlist
  • [oss-security] 20150424 CVE request: Perl XML::LibXML
  • [oss-security] 20150430 Re: CVE request: Perl XML::LibXML
suse openSUSE-SU-2015:1506
ubuntu USN-2592-1
Last major update 29-04-2020 - 13:17
Published 12-05-2015 - 19:59
Last modified 29-04-2020 - 13:17
Back to Top