CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23807 – Apache Xerces C++: Use-after-free on external DTD scan
https://notcve.org/view.php?id=CVE-2024-23807
The Apache Xerces C++ XML parser on versions 3.0.0 before 3.2.5 contains a use-after-free error triggered during the scanning of external DTDs. Users are recommended to upgrade to version 3.2.5 which fixes the issue, or mitigate the issue by disabling DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable. This issue has been disclosed before as CVE-2018-1311, but unfortunately that advisory incorrectly stated the issue would be fixed in version 3.2.3 or 3.2.4. El analizador XML Apache Xerces C++ en las versiones 3.0.0 anteriores a la 3.2.5 contiene un error de use-after-free que se activa durante el escaneo de DTD externos. Se recomienda a los usuarios actualizar a la versión 3.2.5, que soluciona el problema, o mitigarlo desactivando el procesamiento de DTD. Esto se puede lograr a través del DOM usando una función de analizador estándar, o vía SAX usando la variable de entorno XERCES_DISABLE_DTD. • https://github.com/apache/xerces-c/pull/54 https://lists.apache.org/thread/c497tgn864tsbm8w0bo3f0d81s07zk9r • CWE-416: Use After Free •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-37536 – HCL BigFix Platform is vulnerable to an integer overflow in xerces-c++ 3.2.3
https://notcve.org/view.php?id=CVE-2023-37536
An integer overflow in xerces-c++ 3.2.3 in BigFix Platform allows remote attackers to cause out-of-bound access via HTTP request. Un desbordamiento de enteros de xerces-c++ 3.2.3 en BigFix Platform permite a atacantes remotos provocar acceso fuera de límites a través de una solicitud HTTP. • https://lists.debian.org/debian-lts-announce/2023/12/msg00027.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7A6WWL4SWKAVYK6VK5YN7KZP4MZWC7IY https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AJYZUBGPVWJ7LEHRCMB5XVADQBNGURXD https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAOSSJ72CUJ535VRWTCVQKUYT2LYR3OM https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0107791 • CWE-190: Integer Overflow or Wraparound CWE-680: Integer Overflow to Buffer Overflow •
CVSS: 8.1EPSS: 1%CPEs: 15EXPL: 0CVE-2018-1311 – xerces-c: XML parser contains a use-after-free error triggered during the scanning of external DTDs
https://notcve.org/view.php?id=CVE-2018-1311
The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the maintained version of the library and has no current mitigation other than to disable DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable. El analizador XML de Apache Xerces - versiones C 3.0.0 hasta 3.2.3, contiene un error de uso de la memoria previamente liberada desencadenado durante el escaneo de los DTD externos. Este error no se ha abordado en la versión mantenida de la biblioteca y no tiene una mitigación actual que no sea deshabilitar el procesamiento de DTD. • http://www.openwall.com/lists/oss-security/2024/02/16/1 https://access.redhat.com/errata/RHSA-2020:0702 https://access.redhat.com/errata/RHSA-2020:0704 https://lists.apache.org/thread.html/r48ea463fde218b1e4cc1a1d05770a0cea34de0600b4355315a49226b%40%3Cc-dev.xerces.apache.org%3E https://lists.apache.org/thread.html/r90ec105571622a7dc3a43b846c12732d2e563561dfb2f72941625f35%40%3Cc-users.xerces.apache.org%3E https://lists.apache.org/thread.html/rabbcc0249de1dda70cda96fd9bcff78217be7a57d96e7dcc8cd96646%40%3Cc-users.xerces.apache.org%3E https:& • CWE-416: Use After Free •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 0CVE-2017-12627
https://notcve.org/view.php?id=CVE-2017-12627
In Apache Xerces-C XML Parser library before 3.2.1, processing of external DTD paths can result in a null pointer dereference under certain conditions. En la biblioteca Apache Xerces-C XML Parser en versiones anteriores a la 3.2.1, el procesamiento de rutas DTD externas puede resultar en una desreferencia de puntero NULL bajo ciertas condiciones. • http://seclists.org/oss-sec/2018/q1/203 http://www.securityfocus.com/bid/103219 http://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt https://kc.mcafee.com/corporate/index?page=content&id=SB10365 https://lists.debian.org/debian-lts-announce/2018/03/msg00032.html • CWE-476: NULL Pointer Dereference •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2012-0880
https://notcve.org/view.php?id=CVE-2012-0880
Apache Xerces-C++ allows remote attackers to cause a denial of service (CPU consumption) via a crafted message sent to an XML service that causes hash table collisions. Apache Xerces-C++ permite que atacantes remotos provoquen una denegación de servicio (consumo de CPU) mediante un mensaje manipulado enviado a un servicio XML que cause colisiones de tabla hash. • http://seclists.org/oss-sec/2014/q3/96 https://bugzilla.redhat.com/show_bug.cgi?id=787103 • CWE-399: Resource Management Errors •