CVE-2009-3720

Name of the Vulnerable Software and Affected Versions Expat versions prior to 2.1.0 beta3

Description The issue is related to multiple vulnerabilities in the expat package, which can lead to a denial of service. This can be exploited remotely. Specifically, the updatePosition function in lib/xmltok impl.c allows context-dependent attackers to cause an application crash via an XML document with crafted UTF-8 sequences that trigger a buffer over-read. A buffer over-read flaw was also found in the bundled expat library, which can cause a crash if an attacker can get Apache to parse an untrusted XML document.

Recommendations For versions prior to 2.1.0 beta3, update to version 2.1.0 beta3 or later to resolve the issue. As a temporary workaround, consider restricting access to the updatePosition function in lib/xmltok impl.c until a patch is available. Additionally, avoid parsing untrusted XML documents to minimize the risk of exploitation.