Vulnerabilities > CVE-2017-16932 - Infinite Loop vulnerability in Xmlsoft Libxml2

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
xmlsoft
CWE-835
nessus
NVD
Published: 2017-11-23
Updated: 2023-11-07

Summary

parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities.

Vulnerable Configurations

Part Description Count
Application
Xmlsoft
13

Common Weakness Enumeration (CWE)

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-0395-1.NASL
    descriptionThis update for libxml2 fixes several issues. Theses security issues were fixed : - CVE-2017-16932: Fixed infinite recursion could lead to an infinite loop or memory exhaustion when expanding a parameter entity in a DTD (bsc#1069689). - CVE-2017-15412: Prevent use after free when calling XPath extension functions that allowed remote attackers to cause DoS or potentially RCE (bsc#1077993) - CVE-2016-5131: Use-after-free vulnerability in libxml2 allowed remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. (bsc#1078813) - CVE-2017-5130: Fixed a potential remote buffer overflow in function xmlMemoryStrdup() (bsc#1078806) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id106707
    published2018-02-09
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106707
    titleSUSE SLES11 Security Update : libxml2 (SUSE-SU-2018:0395-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1089.NASL
    descriptionAccording to the versions of the libxml2 packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function.(CVE-2016-5131) - parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a
    last seen2020-05-06
    modified2018-05-02
    plugin id109487
    published2018-05-02
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109487
    titleEulerOS 2.0 SP2 : libxml2 (EulerOS-SA-2018-1089)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1257.NASL
    descriptionAccording to the versions of the libxml2 packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - A remote code execution vulnerability in libxml2 could enable an attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in an application that uses this library. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-37104170.(CVE-2017-0663) - parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a
    last seen2020-06-01
    modified2020-06-02
    plugin id117566
    published2018-09-18
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/117566
    titleEulerOS Virtualization 2.5.1 : libxml2 (EulerOS-SA-2018-1257)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1156.NASL
    descriptionAccording to the versions of the libxml2 packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function.(CVE-2016-5131) - parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a
    last seen2020-05-06
    modified2018-06-28
    plugin id110732
    published2018-06-28
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110732
    titleEulerOS 2.0 SP3 : libxml2 (EulerOS-SA-2018-1156)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1194.NASL
    descriptionCVE-2017-16931 parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a
    last seen2020-03-17
    modified2017-12-01
    plugin id104936
    published2017-12-01
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/104936
    titleDebian DLA-1194-1 : libxml2 security update
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1088.NASL
    descriptionAccording to the versions of the libxml2 packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function.(CVE-2016-5131) - parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a
    last seen2020-05-06
    modified2018-05-02
    plugin id109486
    published2018-05-02
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109486
    titleEulerOS 2.0 SP1 : libxml2 (EulerOS-SA-2018-1088)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1258.NASL
    descriptionAccording to the versions of the libxml2 packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - A remote code execution vulnerability in libxml2 could enable an attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in an application that uses this library. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-37104170.(CVE-2017-0663) - parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a
    last seen2020-06-01
    modified2020-06-02
    plugin id117567
    published2018-09-18
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/117567
    titleEulerOS Virtualization 2.5.0 : libxml2 (EulerOS-SA-2018-1258)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3504-1.NASL
    descriptionWei Lei discovered that libxml2 incorrecty handled certain parameter entities. An attacker could use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id105037
    published2017-12-06
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105037
    titleUbuntu 14.04 LTS / 16.04 LTS / 17.04 / 17.10 : libxml2 vulnerability (USN-3504-1)
  • NASL familyMisc.
    NASL idCLAMAV_0_100_1.NASL
    descriptionAccording to its version, the ClamAV clamd antivirus daemon running on the remote host is prior to 0.100.1. It is, therefore, affected by multiple vulnerabilities.
    last seen2020-04-30
    modified2018-08-03
    plugin id111517
    published2018-08-03
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111517
    titleClamAV < 0.100.1 Multiple Vulnerabilities
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_D1E9D8C5839B11E896109C5C8E75236A.NASL
    descriptionJoel Esler reports : 3 security fixes in this release : - CVE-2017-16932: Vulnerability in libxml2 dependency (affects ClamAV on Windows only). - CVE-2018-0360: HWP integer overflow, infinite loop vulnerability. Reported by Secunia Research at Flexera. - CVE-2018-0361: ClamAV PDF object length check, unreasonably long time to parse relatively small file. Report ed by aCaB.
    last seen2020-06-01
    modified2020-06-02
    plugin id110970
    published2018-07-10
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110970
    titleFreeBSD : clamav -- multiple vulnerabilities (d1e9d8c5-839b-11e8-9610-9c5c8e75236a)

References