CVE-2017-9233

Name of the Vulnerable Software and Affected Versions libexpat versions 2.2.0 and earlier libexpat versions prior to 2.1.0 Firefox versions prior to 50

Description The issue is related to the XML External Entity vulnerability in the Expat XML Parser Library, which allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD. This can lead to a denial of service (crash) or possibly execute arbitrary code via a malformed input document. The vulnerability is also associated with incorrect restriction of XML links to external DTD objects, and an integer overflow during the parsing of XML. Additionally, the XML parser computes hash values without restricting the ability to trigger hash collisions predictably, allowing context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value.

Recommendations For libexpat versions 2.2.0 and earlier, update to a version later than 2.2.0 to resolve the issue. For libexpat versions prior to 2.1.0, update to a version later than 2.1.0 to resolve the issue. For Firefox versions prior to 50, update to a version 50 or later to resolve the issue. As a temporary workaround, consider restricting the use of external DTD objects to minimize the risk of exploitation. Avoid using the entityValueInitProcessor function until a patch is available.