ID CVE-2020-7595
Summary xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.
References
Vulnerable Configurations
  • cpe:2.3:a:xmlsoft:libxml2:2.9.10:*:*:*:*:*:*:*
    cpe:2.3:a:xmlsoft:libxml2:2.9.10:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:siemens:sinema_remote_connect_server:1.1:*:*:*:*:*:*:*
    cpe:2.3:a:siemens:sinema_remote_connect_server:1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:siemens:sinema_remote_connect_server:2.0:-:*:*:*:*:*:*
    cpe:2.3:a:siemens:sinema_remote_connect_server:2.0:-:*:*:*:*:*:*
  • cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*
    cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:smi-s_provider:-:*:*:*:*:*:*:*
    cpe:2.3:a:netapp:smi-s_provider:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:windows:*:*
    cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:windows:*:*
  • cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*
    cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:symantec_netbackup:-:*:*:*:*:*:*:*
    cpe:2.3:a:netapp:symantec_netbackup:-:*:*:*:*:*:*:*
  • cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*
    cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*
  • cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*
    cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*
  • cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*
    cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*
  • cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*
    cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*
  • cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*
    cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*
  • cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*
    cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*
  • cpe:2.3:o:netapp:h300e_firmware:-:*:*:*:*:*:*:*
    cpe:2.3:o:netapp:h300e_firmware:-:*:*:*:*:*:*:*
  • cpe:2.3:h:netapp:h300e:-:*:*:*:*:*:*:*
    cpe:2.3:h:netapp:h300e:-:*:*:*:*:*:*:*
  • cpe:2.3:o:netapp:h500e_firmware:-:*:*:*:*:*:*:*
    cpe:2.3:o:netapp:h500e_firmware:-:*:*:*:*:*:*:*
  • cpe:2.3:h:netapp:h500e:-:*:*:*:*:*:*:*
    cpe:2.3:h:netapp:h500e:-:*:*:*:*:*:*:*
  • cpe:2.3:o:netapp:h700e_firmware:-:*:*:*:*:*:*:*
    cpe:2.3:o:netapp:h700e_firmware:-:*:*:*:*:*:*:*
  • cpe:2.3:h:netapp:h700e:-:*:*:*:*:*:*:*
    cpe:2.3:h:netapp:h700e:-:*:*:*:*:*:*:*
  • cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*
    cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*
  • cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*
    cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*
  • cpe:2.3:o:netapp:h410c_firmware:-:*:*:*:*:*:*:*
    cpe:2.3:o:netapp:h410c_firmware:-:*:*:*:*:*:*:*
  • cpe:2.3:h:netapp:h410c:-:*:*:*:*:*:*:*
    cpe:2.3:h:netapp:h410c:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:real_user_experience_insight:13.3.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:real_user_experience_insight:13.3.1.0:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 21-04-2021 - 17:32)
Impact:
Exploitability:
CWE CWE-835
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:N/A:P
redhat via4
advisories
  • bugzilla
    id 1812145
    title XSD validation fails on xsd:any
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 7 is installed
        oval oval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • comment libxml2 is earlier than 0:2.9.1-6.el7.5
            oval oval:com.redhat.rhsa:tst:20203996001
          • comment libxml2 is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20111749002
        • AND
          • comment libxml2-devel is earlier than 0:2.9.1-6.el7.5
            oval oval:com.redhat.rhsa:tst:20203996003
          • comment libxml2-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20111749004
        • AND
          • comment libxml2-python is earlier than 0:2.9.1-6.el7.5
            oval oval:com.redhat.rhsa:tst:20203996005
          • comment libxml2-python is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20111749006
        • AND
          • comment libxml2-static is earlier than 0:2.9.1-6.el7.5
            oval oval:com.redhat.rhsa:tst:20203996007
          • comment libxml2-static is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20111749008
    rhsa
    id RHSA-2020:3996
    released 2020-09-29
    severity Moderate
    title RHSA-2020:3996: libxml2 security and bug fix update (Moderate)
  • bugzilla
    id 1799786
    title CVE-2020-7595 libxml2: infinite loop in xmlStringLenDecodeEntities in some end-of-file situations
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 8 is installed
        oval oval:com.redhat.rhba:tst:20193384074
      • OR
        • AND
          • comment libxml2 is earlier than 0:2.9.7-8.el8
            oval oval:com.redhat.rhsa:tst:20204479001
          • comment libxml2 is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20111749002
        • AND
          • comment libxml2-debugsource is earlier than 0:2.9.7-8.el8
            oval oval:com.redhat.rhsa:tst:20204479003
          • comment libxml2-debugsource is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20201827004
        • AND
          • comment libxml2-devel is earlier than 0:2.9.7-8.el8
            oval oval:com.redhat.rhsa:tst:20204479005
          • comment libxml2-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20111749004
        • AND
          • comment python3-libxml2 is earlier than 0:2.9.7-8.el8
            oval oval:com.redhat.rhsa:tst:20204479007
          • comment python3-libxml2 is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20201827008
    rhsa
    id RHSA-2020:4479
    released 2020-11-04
    severity Moderate
    title RHSA-2020:4479: libxml2 security update (Moderate)
rpms
  • jbcs-httpd24-curl-0:7.64.1-36.jbcs.el6
  • jbcs-httpd24-curl-0:7.64.1-36.jbcs.el7
  • jbcs-httpd24-curl-debuginfo-0:7.64.1-36.jbcs.el6
  • jbcs-httpd24-curl-debuginfo-0:7.64.1-36.jbcs.el7
  • jbcs-httpd24-httpd-0:2.4.37-57.jbcs.el6
  • jbcs-httpd24-httpd-0:2.4.37-57.jbcs.el7
  • jbcs-httpd24-httpd-debuginfo-0:2.4.37-57.jbcs.el6
  • jbcs-httpd24-httpd-debuginfo-0:2.4.37-57.jbcs.el7
  • jbcs-httpd24-httpd-devel-0:2.4.37-57.jbcs.el6
  • jbcs-httpd24-httpd-devel-0:2.4.37-57.jbcs.el7
  • jbcs-httpd24-httpd-manual-0:2.4.37-57.jbcs.el6
  • jbcs-httpd24-httpd-manual-0:2.4.37-57.jbcs.el7
  • jbcs-httpd24-httpd-selinux-0:2.4.37-57.jbcs.el6
  • jbcs-httpd24-httpd-selinux-0:2.4.37-57.jbcs.el7
  • jbcs-httpd24-httpd-tools-0:2.4.37-57.jbcs.el6
  • jbcs-httpd24-httpd-tools-0:2.4.37-57.jbcs.el7
  • jbcs-httpd24-libcurl-0:7.64.1-36.jbcs.el6
  • jbcs-httpd24-libcurl-0:7.64.1-36.jbcs.el7
  • jbcs-httpd24-libcurl-devel-0:7.64.1-36.jbcs.el6
  • jbcs-httpd24-libcurl-devel-0:7.64.1-36.jbcs.el7
  • jbcs-httpd24-mod_cluster-native-0:1.3.14-4.Final_redhat_2.jbcs.el6
  • jbcs-httpd24-mod_cluster-native-0:1.3.14-4.Final_redhat_2.jbcs.el7
  • jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.14-4.Final_redhat_2.jbcs.el6
  • jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.14-4.Final_redhat_2.jbcs.el7
  • jbcs-httpd24-mod_http2-0:1.15.7-3.jbcs.el6
  • jbcs-httpd24-mod_http2-0:1.15.7-3.jbcs.el7
  • jbcs-httpd24-mod_http2-debuginfo-0:1.15.7-3.jbcs.el6
  • jbcs-httpd24-mod_http2-debuginfo-0:1.15.7-3.jbcs.el7
  • jbcs-httpd24-mod_jk-ap24-0:1.2.48-4.redhat_1.jbcs.el6
  • jbcs-httpd24-mod_jk-ap24-0:1.2.48-4.redhat_1.jbcs.el7
  • jbcs-httpd24-mod_jk-debuginfo-0:1.2.48-4.redhat_1.jbcs.el6
  • jbcs-httpd24-mod_jk-debuginfo-0:1.2.48-4.redhat_1.jbcs.el7
  • jbcs-httpd24-mod_jk-manual-0:1.2.48-4.redhat_1.jbcs.el6
  • jbcs-httpd24-mod_jk-manual-0:1.2.48-4.redhat_1.jbcs.el7
  • jbcs-httpd24-mod_ldap-0:2.4.37-57.jbcs.el6
  • jbcs-httpd24-mod_ldap-0:2.4.37-57.jbcs.el7
  • jbcs-httpd24-mod_md-1:2.0.8-24.jbcs.el6
  • jbcs-httpd24-mod_md-1:2.0.8-24.jbcs.el7
  • jbcs-httpd24-mod_md-debuginfo-1:2.0.8-24.jbcs.el6
  • jbcs-httpd24-mod_md-debuginfo-1:2.0.8-24.jbcs.el7
  • jbcs-httpd24-mod_proxy_html-1:2.4.37-57.jbcs.el6
  • jbcs-httpd24-mod_proxy_html-1:2.4.37-57.jbcs.el7
  • jbcs-httpd24-mod_security-0:2.9.2-51.GA.jbcs.el6
  • jbcs-httpd24-mod_security-0:2.9.2-51.GA.jbcs.el7
  • jbcs-httpd24-mod_security-debuginfo-0:2.9.2-51.GA.jbcs.el6
  • jbcs-httpd24-mod_security-debuginfo-0:2.9.2-51.GA.jbcs.el7
  • jbcs-httpd24-mod_session-0:2.4.37-57.jbcs.el6
  • jbcs-httpd24-mod_session-0:2.4.37-57.jbcs.el7
  • jbcs-httpd24-mod_ssl-1:2.4.37-57.jbcs.el6
  • jbcs-httpd24-mod_ssl-1:2.4.37-57.jbcs.el7
  • jbcs-httpd24-nghttp2-0:1.39.2-25.jbcs.el6
  • jbcs-httpd24-nghttp2-0:1.39.2-25.jbcs.el7
  • jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-25.jbcs.el6
  • jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-25.jbcs.el7
  • jbcs-httpd24-nghttp2-devel-0:1.39.2-25.jbcs.el6
  • jbcs-httpd24-nghttp2-devel-0:1.39.2-25.jbcs.el7
  • jbcs-httpd24-openssl-pkcs11-0:0.4.10-7.jbcs.el7
  • jbcs-httpd24-openssl-pkcs11-debuginfo-0:0.4.10-7.jbcs.el7
  • libxml2-0:2.9.1-6.el7.5
  • libxml2-debuginfo-0:2.9.1-6.el7.5
  • libxml2-devel-0:2.9.1-6.el7.5
  • libxml2-python-0:2.9.1-6.el7.5
  • libxml2-static-0:2.9.1-6.el7.5
  • libxml2-0:2.9.7-8.el8
  • libxml2-debuginfo-0:2.9.7-8.el8
  • libxml2-debugsource-0:2.9.7-8.el8
  • libxml2-devel-0:2.9.7-8.el8
  • python3-libxml2-0:2.9.7-8.el8
  • python3-libxml2-debuginfo-0:2.9.7-8.el8
refmap via4
confirm https://security.netapp.com/advisory/ntap-20200702-0005/
fedora
  • FEDORA-2020-0c71c00af4
  • FEDORA-2020-41fe1680f6
  • FEDORA-2020-7694e8be73
gentoo GLSA-202010-04
misc
mlist [debian-lts-announce] 20200909 [SECURITY] [DLA 2369-1] libxml2 security update
suse openSUSE-SU-2020:0681
ubuntu USN-4274-1
Last major update 21-04-2021 - 17:32
Published 21-01-2020 - 23:15
Last modified 21-04-2021 - 17:32
Back to Top