CVE-2013-0340: XEE
First published: Tue Jan 21 2014(Updated: )
expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.
Credit: an anonymous researcher an anonymous researcher an anonymous researcher an anonymous researcher an anonymous researcher an anonymous researcher secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Libexpat Project Libexpat | <2.4.0 | |
| Python Python | >=3.6.0<3.6.15 | |
| Python Python | >=3.7.0<3.7.12 | |
| Python Python | >=3.8.0<3.8.12 | |
| Python Python | >=3.9.0<3.9.7 | |
| Apple iPadOS | <14.8 | |
| Apple iPhone OS | <14.8 | |
| Apple macOS | <11.6 | |
| Apple tvOS | <15.0 | |
| Apple watchOS | <8.0 | |
| Apple Catalina | ||
| Apple iOS | <14.8 | 14.8 |
| Apple iPadOS | <14.8 | 14.8 |
| Apple watchOS | <8 | 8 |
| Apple tvOS | <15 | 15 |
| Apple macOS Big Sur | <11.6 | 11.6 |
| Apple iOS | <15 | 15 |
| Apple iPadOS | <15 | 15 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://support.apple.com/en-us/HT212804 (Advisory)
- https://support.apple.com/en-us/HT212805 (Advisory)
- https://support.apple.com/en-us/HT212807 (Advisory)
- https://support.apple.com/en-us/HT212814 (Advisory)
- https://support.apple.com/en-us/HT212815 (Advisory)
- https://support.apple.com/en-us/HT212819 (Advisory)
- http://openwall.com/lists/oss-security/2013/02/22/3
- http://seclists.org/fulldisclosure/2021/Oct/61
- http://seclists.org/fulldisclosure/2021/Oct/62
- http://seclists.org/fulldisclosure/2021/Oct/63
- http://seclists.org/fulldisclosure/2021/Sep/33
- http://seclists.org/fulldisclosure/2021/Sep/34
- http://seclists.org/fulldisclosure/2021/Sep/35
- http://seclists.org/fulldisclosure/2021/Sep/38
- http://seclists.org/fulldisclosure/2021/Sep/39
- http://seclists.org/fulldisclosure/2021/Sep/40
- http://securitytracker.com/id?1028213
- http://www.openwall.com/lists/oss-security/2013/04/12/6
- http://www.openwall.com/lists/oss-security/2021/10/07/4
- http://www.osvdb.org/90634
- http://www.securityfocus.com/bid/58233
- https://lists.apache.org/thread.html/r41eca5f4f09e74436cbb05dec450fc2bef37b5d3e966aa7cc5fada6d%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/rfb2c193360436e230b85547e85a41bea0916916f96c501f5b6fc4702%40%3Cusers.openoffice.apache.org%3E
- https://security.gentoo.org/glsa/201701-21
- https://support.apple.com/kb/HT212804
- https://support.apple.com/kb/HT212805
- https://support.apple.com/kb/HT212807
- https://support.apple.com/kb/HT212814
- https://support.apple.com/kb/HT212815
- https://support.apple.com/kb/HT212819
Parent vulnerabilities
(Appears in the following advisories)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- CVE-2021-30860
- CVE-2021-30783
- CVE-2021-31010
- CVE-2021-30827
- CVE-2021-30828
- CVE-2021-30829
- CVE-2021-22925
- CVE-2021-30832
- CVE-2021-30841
- CVE-2021-30842
- CVE-2021-30843
- CVE-2021-30835
- CVE-2021-30847
- CVE-2021-30830
- CVE-2021-30865
- CVE-2020-29622
- CVE-2021-30857
- CVE-2021-30859
- CVE-2013-0340
- CVE-2021-30855
- CVE-2021-30850
- CVE-2021-30844
- CVE-2021-30713
- CVE-2021-30811
- CVE-2021-30838
- CVE-2021-30834
- CVE-2021-30928
- CVE-2021-30853
- CVE-2021-30933
- CVE-2021-30864
- CVE-2021-30813
- CVE-2021-30819
- CVE-2021-30925
- CVE-2021-30845
- CVE-2021-30858
- CVE-2021-30837
- CVE-2021-30866
- CVE-2021-30882
- CVE-2021-30831
- CVE-2021-30840
- CVE-2021-30852
- CVE-2021-30814
- CVE-2021-30854
- CVE-2021-30808
- CVE-2021-30884
- CVE-2021-30818
- CVE-2021-30823
- CVE-2021-30836
- CVE-2021-30809
- CVE-2021-30846
- CVE-2021-30849
- CVE-2021-30851
- CVE-2021-30810
- CVE-2021-30897
- CVE-2021-30825
- CVE-2021-30863
- CVE-2021-30816
- CVE-2021-30867
- CVE-2021-30874
- CVE-2021-30898
- CVE-2021-30870
- CVE-2021-30815
- CVE-2021-31001
- CVE-2021-30826
- CVE-2021-31005
- CVE-2021-31008
- CVE-2021-30848
- CVE-2021-30930
- CVE-2021-30820
- CVE-2021-30905
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2013-0340.
What is the affected software?
The affected software includes Apple watchOS, Apple macOS Big Sur, Apple iOS, Apple iPadOS, Apple Catalina, and Apple tvOS.
What is the remedy for Apple watchOS?
The remedy for Apple watchOS is to update to version 8 or later.
What is the remedy for Apple macOS Big Sur?
The remedy for Apple macOS Big Sur is to update to version 11.6 or later.
What is the remedy for Apple iOS and iPadOS?
The remedy for Apple iOS and iPadOS is to update to version 15 or later.
What is the remedy for Apple Catalina?
No specific remedy is mentioned for Apple Catalina.
What is the remedy for Apple tvOS?
The remedy for Apple tvOS is to update to version 15 or later.
- collector/apple-support
- agent/type
- agent/event
- agent/softwarecombine
- agent/last-modified-date
- agent/first-publish-date
- agent/software-canonical-lookup-request
- agent/tags
- collector/nvd-index
- agent/author
- agent/references
- agent/weakness
- agent/severity
- agent/status
- agent/description
- collector/mitre-cve
- source/MITRE
- vendor/apple
- canonical/apple catalina
- canonical/apple macos big sur
- canonical/apple watchos
- status/rejected
- vendor/libexpat project
- canonical/libexpat project libexpat
- vendor/python
- canonical/python python
- version/python python/3.6.0
- version/python python/3.7.0
- version/python python/3.8.0
- version/python python/3.9.0
- canonical/apple ipados
- canonical/apple iphone os
- canonical/apple macos
- canonical/apple tvos
- canonical/apple ios