CVE-2003-1564

First published: Sun Feb 02 2003(Updated: )

libxml2, possibly before 2.5.0, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, aka the "billion laughs attack."

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
Xmlsoft Libxml2	=2.2.0
Xmlsoft Libxml2	=2.2.2
Xmlsoft Libxml2	=2.4.30
Xmlsoft Libxml2	=1.8.0
Xmlsoft Libxml2	=1.8.16
Xmlsoft Libxml2	=2.1.0
Xmlsoft Libxml2	=2.4.19
Xmlsoft Libxml2	=2.4.7
Xmlsoft Libxml2	=2.4.17
Xmlsoft Libxml2	=1.7.1
Xmlsoft Libxml2	=2.4.12
Xmlsoft Libxml2	=2.1.1
Xmlsoft Libxml2	=2.2.4
Xmlsoft Libxml2	=2.3.6
Xmlsoft Libxml2	=2.3.7
Xmlsoft Libxml2	=2.4.20
Xmlsoft Libxml2	=2.4.21
Xmlsoft Libxml2	=2.5.0
Xmlsoft Libxml2	=2.2.9
Xmlsoft Libxml2	=2.3.14
Xmlsoft Libxml2	=2.4.24
Xmlsoft Libxml2	=2.4.25
Xmlsoft Libxml2	=2.4.6
Xmlsoft Libxml2	=1.8.5
Xmlsoft Libxml2	=2.2.6
Xmlsoft Libxml2	=2.3.13
Xmlsoft Libxml2	=2.3.8
Xmlsoft Libxml2	=1.7.2
Xmlsoft Libxml2	=1.8.9
Xmlsoft Libxml2	=2.0.0
Xmlsoft Libxml2	=2.2.3
Xmlsoft Libxml2	=2.3.0
Xmlsoft Libxml2	=2.3.1
Xmlsoft Libxml2	=2.3.3
Xmlsoft Libxml2	=2.3.4
Xmlsoft Libxml2	=2.3.5
Xmlsoft Libxml2	=2.4.11
Xmlsoft Libxml2	=2.4.2
Xmlsoft Libxml2	=2.4.27
Xmlsoft Libxml2	=2.4.28
Xmlsoft Libxml2	=2.4.8
Xmlsoft Libxml2	=1.8.2
Xmlsoft Libxml2	=1.8.3
Xmlsoft Libxml2	=2.2.5
Xmlsoft Libxml2	=2.3.10
Xmlsoft Libxml2	=2.4.13
Xmlsoft Libxml2	=2.4.9
Xmlsoft Libxml2	=1.7.0
Xmlsoft Libxml2	=1.8.10
Xmlsoft Libxml2	=1.8.13
Xmlsoft Libxml2	=1.8.6
Xmlsoft Libxml2	=1.8.7
Xmlsoft Libxml2	=2.2.10
Xmlsoft Libxml2	=2.2.8
Xmlsoft Libxml2	=2.4.10
Xmlsoft Libxml2	=2.4.18
Xmlsoft Libxml2	=2.4.26
Xmlsoft Libxml2	=2.4.5
Xmlsoft Libxml2	=2.2.0-beta
Xmlsoft Libxml2	=2.2.7
Xmlsoft Libxml2	=2.4.15
Xmlsoft Libxml2	=2.4.16
Xmlsoft Libxml2	=2.4.22
Xmlsoft Libxml2	=1.8.14
Xmlsoft Libxml2	=1.7.3
Xmlsoft Libxml2	=1.7.4
Xmlsoft Libxml2	=2.3.11
Xmlsoft Libxml2	=2.4.14
Xmlsoft Libxml2	=2.4.29
Xmlsoft Libxml2	=2.4.3
Xmlsoft Libxml2	=2.2.11
Xmlsoft Libxml2	=2.3.2
Xmlsoft Libxml2	=2.4.1
Xmlsoft Libxml2	=1.8.1
Xmlsoft Libxml2	=1.8.4
Xmlsoft Libxml2	=2.2.1
Xmlsoft Libxml2	=2.3.12
Xmlsoft Libxml2	=2.3.9
Xmlsoft Libxml2	=2.4.23
Xmlsoft Libxml2	=2.4.4
Xmlsoft Libxml2	<2.5.0

Remedy

http://mail.gnome.org/archives/xml/2008-August/msg00034.html

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

RHSA-2008:0886

collector/nvd-historical
collector/nvd-index
agent/type
agent/event
agent/first-publish-date
collector/redhat-cve
source/Red Hat
collector/redhat-bugzilla
alias/CVE-2003-1564
agent/references
agent/description
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/last-modified-date
agent/weakness
agent/severity
agent/remedy
agent/author
agent/softwarecombine
agent/tags
collector/mitre-cve
source/MITRE
vendor/xmlsoft
canonical/xmlsoft libxml2
version/xmlsoft libxml2/2.2.0
version/xmlsoft libxml2/2.2.2
version/xmlsoft libxml2/2.4.30
version/xmlsoft libxml2/1.8.0
version/xmlsoft libxml2/1.8.16
version/xmlsoft libxml2/2.1.0
version/xmlsoft libxml2/2.4.19
version/xmlsoft libxml2/2.4.7
version/xmlsoft libxml2/2.4.17
version/xmlsoft libxml2/1.7.1
version/xmlsoft libxml2/2.4.12
version/xmlsoft libxml2/2.1.1
version/xmlsoft libxml2/2.2.4
version/xmlsoft libxml2/2.3.6
version/xmlsoft libxml2/2.3.7
version/xmlsoft libxml2/2.4.20
version/xmlsoft libxml2/2.4.21
version/xmlsoft libxml2/2.5.0
version/xmlsoft libxml2/2.2.9
version/xmlsoft libxml2/2.3.14
version/xmlsoft libxml2/2.4.24
version/xmlsoft libxml2/2.4.25
version/xmlsoft libxml2/2.4.6
version/xmlsoft libxml2/1.8.5
version/xmlsoft libxml2/2.2.6
version/xmlsoft libxml2/2.3.13
version/xmlsoft libxml2/2.3.8
version/xmlsoft libxml2/1.7.2
version/xmlsoft libxml2/1.8.9
version/xmlsoft libxml2/2.0.0
version/xmlsoft libxml2/2.2.3
version/xmlsoft libxml2/2.3.0
version/xmlsoft libxml2/2.3.1
version/xmlsoft libxml2/2.3.3
version/xmlsoft libxml2/2.3.4
version/xmlsoft libxml2/2.3.5
version/xmlsoft libxml2/2.4.11
version/xmlsoft libxml2/2.4.2
version/xmlsoft libxml2/2.4.27
version/xmlsoft libxml2/2.4.28
version/xmlsoft libxml2/2.4.8
version/xmlsoft libxml2/1.8.2
version/xmlsoft libxml2/1.8.3
version/xmlsoft libxml2/2.2.5
version/xmlsoft libxml2/2.3.10
version/xmlsoft libxml2/2.4.13
version/xmlsoft libxml2/2.4.9
version/xmlsoft libxml2/1.7.0
version/xmlsoft libxml2/1.8.10
version/xmlsoft libxml2/1.8.13
version/xmlsoft libxml2/1.8.6
version/xmlsoft libxml2/1.8.7
version/xmlsoft libxml2/2.2.10
version/xmlsoft libxml2/2.2.8
version/xmlsoft libxml2/2.4.10
version/xmlsoft libxml2/2.4.18
version/xmlsoft libxml2/2.4.26
version/xmlsoft libxml2/2.4.5
version/xmlsoft libxml2/2.2.0-beta
version/xmlsoft libxml2/2.2.7
version/xmlsoft libxml2/2.4.15
version/xmlsoft libxml2/2.4.16
version/xmlsoft libxml2/2.4.22
version/xmlsoft libxml2/1.8.14
version/xmlsoft libxml2/1.7.3
version/xmlsoft libxml2/1.7.4
version/xmlsoft libxml2/2.3.11
version/xmlsoft libxml2/2.4.14
version/xmlsoft libxml2/2.4.29
version/xmlsoft libxml2/2.4.3
version/xmlsoft libxml2/2.2.11
version/xmlsoft libxml2/2.3.2
version/xmlsoft libxml2/2.4.1
version/xmlsoft libxml2/1.8.1
version/xmlsoft libxml2/1.8.4
version/xmlsoft libxml2/2.2.1
version/xmlsoft libxml2/2.3.12
version/xmlsoft libxml2/2.3.9
version/xmlsoft libxml2/2.4.23
version/xmlsoft libxml2/2.4.4

CVE-2003-1564

Remedy

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

Company

Resources

Contact