<p>There is no fixed version for <code>Debian:9</code> <code>expat</code>.</p>

XML External Entity (XXE) Injection Affecting expat package, versions *

Threat Intelligence

0.52% (78^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-DEBIAN9-EXPAT-358078
published 21 Jan 2014
disclosed 21 Jan 2014

Report a new vulnerability Found a mistake?

Introduced: 21 Jan 2014

CVE-2013-0340 Open this link in a new tab CWE-611 Open this link in a new tab

How to fix?

There is no fixed version for Debian:9 expat.

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:9 relevant fixed versions and status.

expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.

References

CVSS Scores

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

Low
Privileges Required (PR)

None
User Interaction (UI)

Required

Scope (S)

Unchanged

Confidentiality (C)

Low
Integrity (I)

Low
Availability (A)

Low