CVE-2017-16931

Name of the Vulnerable Software and Affected Versions libxml2 versions prior to 2.9.5

Description The issue is caused by a buffer overflow in the NEXTL macro of the libxml2 library's xml parser, specifically in the parser.c file. This can be exploited by a remote attacker to inject XML external entities (XXE Injection) using a specially crafted DTD name containing the '%' character. The vulnerability arises from the mishandling of parameter-entity references when the NEXTL macro encounters a '%' character in a DTD name, leading to the xmlParserHandlePEReference function being called.

Recommendations For libxml2 versions prior to 2.9.5, update to version 2.9.5 or later to resolve the issue. As a temporary workaround, consider restricting the use of the NEXTL macro or the xmlParserHandlePEReference function in the parser.c file until a patch is applied. Additionally, avoid using DTD names containing the '%' character in affected API endpoints, such as "/api/v1/xmlparser", until the issue is resolved.