CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2024-23807 – Apache Xerces C++: Use-after-free on external DTD scan
https://notcve.org/view.php?id=CVE-2024-23807
28 Feb 2024 — The Apache Xerces C++ XML parser on versions 3.0.0 before 3.2.5 contains a use-after-free error triggered during the scanning of external DTDs. Users are recommended to upgrade to version 3.2.5 which fixes the issue, or mitigate the issue by disabling DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable. This issue has been disclosed before as CVE-2018-1311, but unfortunately that advisory incorrectly stated the is... • https://github.com/apache/xerces-c/pull/54 • CWE-416: Use After Free •
CVSS: 9.0EPSS: 4%CPEs: 4EXPL: 0CVE-2023-37536 – HCL BigFix Platform is vulnerable to an integer overflow in xerces-c++ 3.2.3
https://notcve.org/view.php?id=CVE-2023-37536
11 Oct 2023 — An integer overflow in xerces-c++ 3.2.3 in BigFix Platform allows remote attackers to cause out-of-bound access via HTTP request. Un desbordamiento de enteros de xerces-c++ 3.2.3 en BigFix Platform permite a atacantes remotos provocar acceso fuera de límites a través de una solicitud HTTP. An integer overflow exists in xerces-c++. This flaw allows an attacker using a specially crafted HTTP request payload to trigger an out-of-bounds read, resulting in a loss of confidentiality, integrity, and availability. ... • https://lists.debian.org/debian-lts-announce/2023/12/msg00027.html • CWE-190: Integer Overflow or Wraparound CWE-680: Integer Overflow to Buffer Overflow •
CVSS: 8.1EPSS: 4%CPEs: 15EXPL: 1CVE-2018-1311 – xerces-c: XML parser contains a use-after-free error triggered during the scanning of external DTDs
https://notcve.org/view.php?id=CVE-2018-1311
18 Dec 2019 — The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the maintained version of the library and has no current mitigation other than to disable DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable. El analizador XML de Apache Xerces - versiones C 3.0.0 hasta 3.2.3, contiene un error de uso de la memoria previ... • https://github.com/johnjamesmccann/xerces-3.2.3-DTD-hotfix • CWE-416: Use After Free •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2017-12627
https://notcve.org/view.php?id=CVE-2017-12627
01 Mar 2018 — In Apache Xerces-C XML Parser library before 3.2.1, processing of external DTD paths can result in a null pointer dereference under certain conditions. En la biblioteca Apache Xerces-C XML Parser en versiones anteriores a la 3.2.1, el procesamiento de rutas DTD externas puede resultar en una desreferencia de puntero NULL bajo ciertas condiciones. • http://seclists.org/oss-sec/2018/q1/203 • CWE-476: NULL Pointer Dereference •
CVSS: 7.8EPSS: 1%CPEs: 1EXPL: 0CVE-2012-0880
https://notcve.org/view.php?id=CVE-2012-0880
08 Aug 2017 — Apache Xerces-C++ allows remote attackers to cause a denial of service (CPU consumption) via a crafted message sent to an XML service that causes hash table collisions. Apache Xerces-C++ permite que atacantes remotos provoquen una denegación de servicio (consumo de CPU) mediante un mensaje manipulado enviado a un servicio XML que cause colisiones de tabla hash. • http://seclists.org/oss-sec/2014/q3/96 • CWE-399: Resource Management Errors •
CVSS: 7.5EPSS: 33%CPEs: 2EXPL: 1CVE-2016-4463 – xerces-c: Stack overflow when parsing deeply nested DTD
https://notcve.org/view.php?id=CVE-2016-4463
29 Jun 2016 — Stack-based buffer overflow in Apache Xerces-C++ before 3.1.4 allows context-dependent attackers to cause a denial of service via a deeply nested DTD. Desbordamiento de buffer basado en pila en Apache Xerces-C++ en versiones anteriores a 3.1.4 permite a atacantes dependientes del contexto provocar una denegación de servicio a través de un DTD anidado profundamente. A stack exhaustion flaw was found in the way Xerces-C XML parser handled deeply nested DTDs. An attacker could potentially use this flaw to cras... • https://github.com/arntsonl/CVE-2016-4463 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-121: Stack-based Buffer Overflow •
CVSS: 10.0EPSS: 2%CPEs: 2EXPL: 0CVE-2016-2099 – Gentoo Linux Security Advisory 201612-46
https://notcve.org/view.php?id=CVE-2016-2099
13 May 2016 — Use-after-free vulnerability in validators/DTD/DTDScanner.cpp in Apache Xerces C++ 3.1.3 and earlier allows context-dependent attackers to have unspecified impact via an invalid character in an XML document. Vulnerabilidad de uso después de liberación de memoria en validators/DTD/DTDScanner.cpp en Apache Xerces C++ 3.1.3 y versiones anteriores permite a atacantes dependientes de contexto tener un impacto no especificado a través de un carácter inválido en un documento XML. Gustavo Grieco discovered an use-a... • http://lists.opensuse.org/opensuse-updates/2016-07/msg00016.html •
CVSS: 7.5EPSS: 26%CPEs: 5EXPL: 2CVE-2015-0252 – Apache Xerces-C XML Parser < 3.1.2 - Denial of Service (PoC)
https://notcve.org/view.php?id=CVE-2015-0252
21 Mar 2015 — internal/XMLReader.cpp in Apache Xerces-C before 3.1.2 allows remote attackers to cause a denial of service (segmentation fault and crash) via crafted XML data. internal/XMLReader.cpp en Apache Xerces-C anterior a 3.1.2 permite a atacantes remotos causar una denegación de servicio (fallo de segmentación y caída) a través de datos XML manipulados. A flaw was found in the way the Xerces-C XML parser processed certain XML documents. A remote attacker could provide specially crafted XML input that, when parsed ... • https://packetstorm.news/files/id/131756 • CWE-20: Improper Input Validation CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.5EPSS: 14%CPEs: 2EXPL: 1CVE-2009-1885
https://notcve.org/view.php?id=CVE-2009-1885
11 Aug 2009 — Stack consumption vulnerability in validators/DTD/DTDScanner.cpp in Apache Xerces C++ 2.7.0 and 2.8.0 allows context-dependent attackers to cause a denial of service (application crash) via vectors involving nested parentheses and invalid byte values in "simply nested DTD structures," as demonstrated by the Codenomicon XML fuzzing framework. Vulnerabilidad de agotamiento de pila en validators/DTD/DTDScanner.cpp en Apache Xerces C++ v2.7.0 y v2.8.0 permite a atacantes dependientes de contexto producir una de... • http://secunia.com/advisories/36201 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.8EPSS: 2%CPEs: 18EXPL: 1CVE-2008-4482
https://notcve.org/view.php?id=CVE-2008-4482
08 Oct 2008 — The XML parser in Xerces-C++ before 3.0.0 allows context-dependent attackers to cause a denial of service (stack consumption and crash) via an XML schema definition with a large maxOccurs value, which triggers excessive memory consumption during validation of an XML file. El analizador XML en Xerces-C++ versiones anteriores a 3.0.0, permite a los atacantes dependientes de contexto causar una denegación de servicios (consumo de pila y caída) a través de un esquema de definición XML con un valor largo maxOccu... • http://issues.apache.org/jira/browse/XERCESC-1051 • CWE-20: Improper Input Validation •