CVE-2022-25236
expat: Namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution
Severity Score
9.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.
El archivo xmlparse.c en Expat (tambiƩn se conoce como libexpat) versiones anteriores a 2.4.5, permite a atacantes insertar caracteres separadores de espacios de nombres en URIs de espacios de nombres
A flaw was found in expat. Passing one or more namespace separator characters in the "xmlns[:prefix]" attribute values made expat send malformed tag names to the XML processor on top of expat. This issue causes arbitrary code execution depending on how unexpected cases are handled inside the XML processor.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2022-02-16 CVE Reserved
- 2022-02-16 CVE Published
- 2024-08-03 CVE Updated
- 2024-11-01 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-179: Incorrect Behavior Order: Early Validation
- CWE-668: Exposure of Resource to Wrong Sphere
CAPEC
References (13)
| URL | Tag | Source |
|---|---|---|
| http://packetstormsecurity.com/files/167238/Zoom-XMPP-Stanza-Smuggling-Remote-Code-Execution.html | Third Party Advisory |
|
| http://www.openwall.com/lists/oss-security/2022/02/19/1 | Mailing List |
|
| https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf | Third Party Advisory |
|
| https://lists.debian.org/debian-lts-announce/2022/03/msg00007.html | Mailing List |
|
| https://security.netapp.com/advisory/ntap-20220303-0008 | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/libexpat/libexpat/pull/561 | 2023-11-07 | |
| https://www.oracle.com/security-alerts/cpuapr2022.html | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Libexpat Project Search vendor "Libexpat Project" | Libexpat Search vendor "Libexpat Project" for product "Libexpat" | < 2.4.5 Search vendor "Libexpat Project" for product "Libexpat" and version " < 2.4.5" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Http Server Search vendor "Oracle" for product "Http Server" | 12.2.1.3.0 Search vendor "Oracle" for product "Http Server" and version "12.2.1.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Http Server Search vendor "Oracle" for product "Http Server" | 12.2.1.4.0 Search vendor "Oracle" for product "Http Server" and version "12.2.1.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Zfs Storage Appliance Kit Search vendor "Oracle" for product "Zfs Storage Appliance Kit" | 8.8 Search vendor "Oracle" for product "Zfs Storage Appliance Kit" and version "8.8" | - |
Affected
| ||||||
| Siemens Search vendor "Siemens" | Sinema Remote Connect Server Search vendor "Siemens" for product "Sinema Remote Connect Server" | < 3.1 Search vendor "Siemens" for product "Sinema Remote Connect Server" and version " < 3.1" | - |
Affected
| ||||||