CVE-2014-0191

libxml2: external parameter entity loaded when entity substitution is disabled

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The xmlParserHandlePEReference function in parser.c in libxml2 before 2.9.2, as used in Web Listener in Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products, loads external parameter entities regardless of whether entity substitution or validation is enabled, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML document.

La función xmlParserHandlePEReference en parser.c en libxml2 en versiones anteriores a 2.9.2, como se utiliza en Web Listener en Oracle HTTP Server en Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0 y 12.1.3.0 y otros productos, carga entidades de parámetro externas independientemente de si la sustitución de entidad o la validación están habilitadas, lo que permite a atacantes remotos causar una denegación de servicio (consumo de recursos) a través de un documento XML manipulado.

It was discovered that libxml2 loaded external parameter entities even when entity substitution was disabled. A remote attacker able to provide a specially crafted XML file to an application linked against libxml2 could use this flaw to conduct XML External Entity (XXE) attacks, possibly resulting in a denial of service or an information leak on the system.

It was discovered that libxml2, a library providing support to read, modify and write XML files, incorrectly performs entity substitution in the doctype prolog, even if the application using libxml2 disabled any entity substitution. A remote attacker could provide a specially-crafted XML file that, when processed, would lead to the exhaustion of CPU and memory resources or file descriptors. A denial of service flaw was found in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption based on excessive entity substitutions, even if entity substitution was disabled, which is the parser default behavior.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2013-12-03 CVE Reserved
2014-05-12 CVE Published
2024-08-06 CVE Updated
2025-04-14 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-611: Improper Restriction of XML External Entity Reference

CAPEC

References (15)

URL	Tag	Source
http://www-01.ibm.com/support/docview.wss?uid=swg21678183	X_refsource_confirm
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html	X_refsource_confirm
http://www.securityfocus.com/bid/67233	Vdb Entry
http://xmlsoft.org/news.html	X_refsource_confirm
https://exchange.xforce.ibmcloud.com/vulnerabilities/93092	Vdb Entry
https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df	X_refsource_confirm
https://support.apple.com/kb/HT205030	X_refsource_confirm
https://support.apple.com/kb/HT205031	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html	2017-08-29

URL	Date	SRC
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html	2017-08-29
http://lists.apple.com/archives/security-announce/2015/Aug/msg00002.html	2017-08-29
http://lists.opensuse.org/opensuse-updates/2015-12/msg00120.html	2017-08-29
http://rhn.redhat.com/errata/RHSA-2015-0749.html	2017-08-29
https://bugzilla.redhat.com/show_bug.cgi?id=1090976	2015-03-30
https://access.redhat.com/security/cve/CVE-2014-0191	2015-03-30

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Oracle Search vendor "Oracle"		Fusion Middleware Search vendor "Oracle" for product "Fusion Middleware"				11.1.1.7.0 Search vendor "Oracle" for product "Fusion Middleware" and version "11.1.1.7.0"		-		Affected
Oracle Search vendor "Oracle"		Fusion Middleware Search vendor "Oracle" for product "Fusion Middleware"				12.1.2.0.0 Search vendor "Oracle" for product "Fusion Middleware" and version "12.1.2.0.0"		-		Affected
Oracle Search vendor "Oracle"		Fusion Middleware Search vendor "Oracle" for product "Fusion Middleware"				12.1.3.0.0 Search vendor "Oracle" for product "Fusion Middleware" and version "12.1.3.0.0"		-		Affected