PT-2024-1816 · Apache+1 · Apache Xerces-C+1

Arnout Engelen

Published

2024-02-16

Updated

2025-03-06

CVE-2024-23807

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Apache Xerces C++ XML parser versions 3.0.0 through 3.2.5

Description The issue is related to a use-after-free error triggered during the scanning of external DTDs. This can allow a remote attacker to execute arbitrary code. Users can mitigate the issue by disabling DTD processing, which can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES DISABLE DTD environment variable.

Recommendations To resolve the issue, upgrade to version 3.2.5, which fixes the problem. As a temporary workaround, consider disabling DTD processing via the DOM using a standard parser feature, or via SAX using the XERCES DISABLE DTD environment variable.

Exploit

Fix

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-416

Related Identifiers

ALT-PU-2023-8427

ALT-PU-2024-8078

ALT-PU-2025-3748

AZL-55883

AZL-55898

BDU:2024-01559

CVE-2024-23807

Affected Products

Alt Linux

Apache Xerces-C

PT-2024-1816 · Apache+1 · Apache Xerces-C+1

CVE-2024-23807

Weakness Enumeration

Related Identifiers

Affected Products

References · 15