ID CVE-2018-14567
Summary libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251.
References
Vulnerable Configurations
  • cpe:2.3:a:xmlsoft:libxml2:2.9.8:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsoft:libxml2:2.9.8:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 10-09-2020 - 01:15)
Impact:
Exploitability:
CWE CWE-835
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:M/Au:N/C:N/I:N/A:P
redhat via4
advisories
bugzilla
id 1619875
title CVE-2018-14567 libxml2: Infinite loop caused by incorrect error detection during LZMA decompression
oval
OR
  • comment Red Hat Enterprise Linux must be installed
    oval oval:com.redhat.rhba:tst:20070304026
  • AND
    • comment Red Hat Enterprise Linux 7 is installed
      oval oval:com.redhat.rhba:tst:20150364027
    • OR
      • AND
        • comment libxml2 is earlier than 0:2.9.1-6.el7.4
          oval oval:com.redhat.rhsa:tst:20201190001
        • comment libxml2 is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111749002
      • AND
        • comment libxml2-devel is earlier than 0:2.9.1-6.el7.4
          oval oval:com.redhat.rhsa:tst:20201190003
        • comment libxml2-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111749004
      • AND
        • comment libxml2-python is earlier than 0:2.9.1-6.el7.4
          oval oval:com.redhat.rhsa:tst:20201190005
        • comment libxml2-python is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111749006
      • AND
        • comment libxml2-static is earlier than 0:2.9.1-6.el7.4
          oval oval:com.redhat.rhsa:tst:20201190007
        • comment libxml2-static is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111749008
rhsa
id RHSA-2020:1190
released 2020-03-31
severity Moderate
title RHSA-2020:1190: libxml2 security update (Moderate)
rpms
  • libxml2-0:2.9.1-6.el7.4
  • libxml2-debuginfo-0:2.9.1-6.el7.4
  • libxml2-devel-0:2.9.1-6.el7.4
  • libxml2-python-0:2.9.1-6.el7.4
  • libxml2-static-0:2.9.1-6.el7.4
refmap via4
bid 105198
confirm https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74
mlist
  • [debian-lts-announce] 20180927 [SECURITY] [DLA 1524-1] libxml2 security update
  • [debian-lts-announce] 20200909 [SECURITY] [DLA 2369-1] libxml2 security update
ubuntu USN-3739-1
Last major update 10-09-2020 - 01:15
Published 16-08-2018 - 20:29
Last modified 10-09-2020 - 01:15
Back to Top