PT-2024-6096 · Libexpat+13 · Libexpat+13
Taiyou
·
Published
2024-08-29
·
Updated
2026-04-01
·
CVE-2024-45490
CVSS v3.1
10
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
libexpat versions prior to 2.6.3
Description
The issue is related to a problem in the libexpat library, which is used for parsing XML files. It is caused by the library's failure to properly restrict references to external XML entities. This can allow an attacker to execute arbitrary code. The problem is specifically located in the xmlparse.c file, which does not reject a negative length for XML ParseBuffer.
Recommendations
For libexpat versions prior to 2.6.3, update to version 2.6.3 or later to resolve the issue. As a temporary workaround, consider disabling the use of external XML entities in the libexpat library until a patch is available. Restrict access to the xmlparse.c function to minimize the risk of exploitation. Avoid using the XML ParseBuffer function with negative lengths until the issue is resolved.
Fix
DoS
XXE
Integer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Almalinux
Astra Linux
Centos
Debian
Ibm Aix
Linuxmint
Apple Macos
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu
Libexpat