CVE-2023-39615

Publication date 29 August 2023

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

6.5 · Medium

Score breakdown

** DISPUTED ** Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file. NOTE: the vendor's position is that the product does not support the legacy SAX1 interface with custom callbacks; there is a crash even without crafted input.

Read the notes from the security team

Status

Package Ubuntu Release Status
libxml2 23.10 mantic
Not affected
23.04 lunar
Not affected
22.04 LTS jammy
Not affected
20.04 LTS focal
Not affected
18.04 LTS bionic
Not affected
16.04 LTS xenial
Not affected
14.04 LTS trusty
Not affected

Notes


ccdm94

as explained by upstream in issue #535, this is not considered a security issue, but, instead, a mode of operation that was not working properly, regardless of the input provided. It is also not possible to reproduce the issue in versions older than 2.11.0, meaning, no Ubuntu releases as of 2022-11-21 would allow this, the provided PoC not being able to generate the crash on these releases.

Severity score breakdown

Parameter Value
Base score 6.5 · Medium
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H