CVE-2013-0339

Name of the Vulnerable Software and Affected Versions libxml2 versions prior to 2.9.2

Description The issue is related to the handling of external entities expansion in libxml2, which can be exploited by remote attackers to cause a denial of service, send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document. This is an XML External Entity (XXE) issue. The xmlSAX2ResolveEntity and xmlSetExternalEntityLoader functions are involved in this issue, and it is noted that the responsibility for resolving this issue may lie with application developers, as libxml2 already provides the ability to disable external entity expansion.

Recommendations For libxml2 versions prior to 2.9.2, consider using the xmlSAX2ResolveEntity or xmlSetExternalEntityLoader function to properly handle external entities expansion, or disable external entity expansion to minimize the risk of exploitation. As a temporary workaround, consider restricting the use of the xmlSAX2ResolveEntity and xmlSetExternalEntityLoader functions until a patch is available.