Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') Affecting libclamav9 package, versions <0.103.8-150000.3.44.1
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-SLES154-LIBCLAMAV9-3329371
- published 22 Feb 2023
- disclosed 21 Feb 2023
Introduced: 21 Feb 2023
CVE-2023-20052 Open this link in a new tabHow to fix?
Upgrade SLES:15.4 libclamav9 to version 0.103.8-150000.3.44.1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream libclamav9 package and not the libclamav9 package as distributed by SLES.
See How to fix? for SLES:15.4 relevant fixed versions and status.
On Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed:
A vulnerability in the DMG file parser of ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier could allow an unauthenticated, remote attacker to access sensitive information on an affected device.
This vulnerability is due to enabling XML entity substitution that may result in XML external entity injection. An attacker could exploit this vulnerability by submitting a crafted DMG file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to leak bytes from any file that may be read by the ClamAV scanning process.