CVE-2011-1756
First published: Tue Jun 21 2011(Updated: )
modules/xmpp/serv_xmpp.c in Citadel 7.86 and earlier does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Citadel | =7.84 | |
| Citadel | =7.81 | |
| Citadel | =7.80 | |
| Citadel | =7.82 | |
| Citadel | =7.50 | |
| Citadel | <=7.86 | |
| Citadel | =7.11 | |
| Citadel | =7.60 |
Remedy
http://code.citadel.org/cgit.cgi/git.citadel.org/commit/?id=27c991cc2059f5530d3d4e9689dc976b745f5b0c
Remedy
http://code.citadel.org/cgit.cgi/git.citadel.org/commit/?id=95040add546a705cc2d1d8f16293141f9f9845a6
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packages.debian.org/changelogs/pool/main/c/citadel/citadel_7.37-8+lenny1/changelog
- http://security.debian.org/debian-security/pool/updates/main/c/citadel/citadel_7.83-2squeeze2.diff.gz
- http://code.citadel.org/cgit.cgi/git.citadel.org/commit/?id=27c991cc2059f5530d3d4e9689dc976b745f5b0c
- http://code.citadel.org/cgit.cgi/git.citadel.org/commit/?id=95040add546a705cc2d1d8f16293141f9f9845a6
- http://packages.debian.org/changelogs/pool/main/c/citadel/citadel_7.83-2squeeze2/changelog
- http://secunia.com/advisories/44788
- http://www.debian.org/security/2011/dsa-2250
- http://www.securityfocus.com/bid/48071
Frequently Asked Questions
What is the severity of CVE-2011-1756?
CVE-2011-1756 has a moderate severity level, as it can lead to denial of service via excessive memory and CPU consumption.
How do I fix CVE-2011-1756?
To fix CVE-2011-1756, upgrade to Citadel version 7.87 or later where the vulnerability has been patched.
What type of attack does CVE-2011-1756 enable?
CVE-2011-1756 allows remote attackers to conduct denial of service attacks through a crafted XML document.
What are the affected versions listed for CVE-2011-1756?
CVE-2011-1756 affects Citadel versions up to and including 7.86.
Is CVE-2011-1756 an exploitation vulnerability?
No, CVE-2011-1756 is classified as a denial of service vulnerability that exploits recursion during entity expansion.
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/author
- agent/last-modified-date
- agent/weakness
- agent/remedy
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/citadel
- canonical/citadel
- version/citadel/7.84
- version/citadel/7.81
- version/citadel/7.80
- version/citadel/7.82
- version/citadel/7.50
- version/citadel/7.86
- version/citadel/7.11
- version/citadel/7.60