CVE-2014-5265
First published: Mon Aug 18 2014(Updated: )
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| WordPress | <=3.9.1 | |
| WordPress | =3.0 | |
| WordPress | =3.0.1 | |
| WordPress | =3.0.2 | |
| WordPress | =3.0.3 | |
| WordPress | =3.0.4 | |
| WordPress | =3.0.5 | |
| WordPress | =3.0.6 | |
| WordPress | =3.1 | |
| WordPress | =3.1.1 | |
| WordPress | =3.1.2 | |
| WordPress | =3.1.3 | |
| WordPress | =3.1.4 | |
| WordPress | =3.2 | |
| WordPress | =3.2-beta1 | |
| WordPress | =3.2.1 | |
| WordPress | =3.3 | |
| WordPress | =3.3.1 | |
| WordPress | =3.3.2 | |
| WordPress | =3.3.3 | |
| WordPress | =3.4.0 | |
| WordPress | =3.4.1 | |
| WordPress | =3.4.2 | |
| WordPress | =3.5.0 | |
| WordPress | =3.5.1 | |
| WordPress | =3.6 | |
| WordPress | =3.6.1 | |
| WordPress | =3.7 | |
| WordPress | =3.7.1 | |
| WordPress | =3.8 | |
| WordPress | =3.8.1 | |
| WordPress | =3.9.0 | |
| Drupal | =6.0 | |
| Drupal | =6.0-beta1 | |
| Drupal | =6.0-beta2 | |
| Drupal | =6.0-beta3 | |
| Drupal | =6.0-beta4 | |
| Drupal | =6.0-dev | |
| Drupal | =6.0-rc1 | |
| Drupal | =6.0-rc2 | |
| Drupal | =6.0-rc3 | |
| Drupal | =6.0-rc4 | |
| Drupal | =6.1 | |
| Drupal | =6.2 | |
| Drupal | =6.3 | |
| Drupal | =6.4 | |
| Drupal | =6.5 | |
| Drupal | =6.6 | |
| Drupal | =6.7 | |
| Drupal | =6.8 | |
| Drupal | =6.9 | |
| Drupal | =6.10 | |
| Drupal | =6.11 | |
| Drupal | =6.12 | |
| Drupal | =6.13 | |
| Drupal | =6.14 | |
| Drupal | =6.15 | |
| Drupal | =6.16 | |
| Drupal | =6.17 | |
| Drupal | =6.18 | |
| Drupal | =6.19 | |
| Drupal | =6.20 | |
| Drupal | =6.21 | |
| Drupal | =6.22 | |
| Drupal | =6.23 | |
| Drupal | =6.24 | |
| Drupal | =6.25 | |
| Drupal | =6.26 | |
| Drupal | =6.27 | |
| Drupal | =6.28 | |
| Drupal | =6.29 | |
| Drupal | =6.30 | |
| Drupal | =6.31 | |
| Drupal | =6.32 | |
| Drupal | =7.0 | |
| Drupal | =7.0-alpha1 | |
| Drupal | =7.0-alpha2 | |
| Drupal | =7.0-alpha3 | |
| Drupal | =7.0-alpha4 | |
| Drupal | =7.0-alpha5 | |
| Drupal | =7.0-alpha6 | |
| Drupal | =7.0-alpha7 | |
| Drupal | =7.0-beta1 | |
| Drupal | =7.0-beta2 | |
| Drupal | =7.0-beta3 | |
| Drupal | =7.0-dev | |
| Drupal | =7.0-rc1 | |
| Drupal | =7.0-rc2 | |
| Drupal | =7.0-rc3 | |
| Drupal | =7.0-rc4 | |
| Drupal | =7.1 | |
| Drupal | =7.2 | |
| Drupal | =7.3 | |
| Drupal | =7.4 | |
| Drupal | =7.5 | |
| Drupal | =7.6 | |
| Drupal | =7.7 | |
| Drupal | =7.8 | |
| Drupal | =7.9 | |
| Drupal | =7.10 | |
| Drupal | =7.11 | |
| Drupal | =7.12 | |
| Drupal | =7.13 | |
| Drupal | =7.14 | |
| Drupal | =7.15 | |
| Drupal | =7.16 | |
| Drupal | =7.17 | |
| Drupal | =7.18 | |
| Drupal | =7.19 | |
| Drupal | =7.20 | |
| Drupal | =7.21 | |
| Drupal | =7.22 | |
| Drupal | =7.23 | |
| Drupal | =7.24 | |
| Drupal | =7.25 | |
| Drupal | =7.26 | |
| Drupal | =7.27 | |
| Drupal | =7.28 | |
| Drupal | =7.29 | |
| Drupal | =7.30 | |
| Drupal | =7.x-dev | |
| Debian | =7.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2014-5265?
CVE-2014-5265 is classified as a medium severity vulnerability due to its potential for denial of service attacks.
How do I fix CVE-2014-5265?
To fix CVE-2014-5265, update to WordPress version 3.9.2 or higher or Drupal version 6.33 or 7.31 or higher.
Who is affected by CVE-2014-5265?
CVE-2014-5265 affects WordPress versions prior to 3.9.2 and Drupal versions prior to 6.33 and 7.31.
What is the impact of CVE-2014-5265?
The impact of CVE-2014-5265 allows remote attackers to cause denial of service by exhausting memory and CPU resources.
How does CVE-2014-5265 exploit the XML-RPC library?
CVE-2014-5265 exploits the XML-RPC library by permitting recursive entity declarations that lead to excessive resource consumption.
- agent/references
- agent/type
- agent/remedy
- agent/author
- agent/severity
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/wordpress
- canonical/wordpress
- version/wordpress/3.9.1
- version/wordpress/3.0
- version/wordpress/3.0.1
- version/wordpress/3.0.2
- version/wordpress/3.0.3
- version/wordpress/3.0.4
- version/wordpress/3.0.5
- version/wordpress/3.0.6
- version/wordpress/3.1
- version/wordpress/3.1.1
- version/wordpress/3.1.2
- version/wordpress/3.1.3
- version/wordpress/3.1.4
- version/wordpress/3.2
- version/wordpress/3.2-beta1
- version/wordpress/3.2.1
- version/wordpress/3.3
- version/wordpress/3.3.1
- version/wordpress/3.3.2
- version/wordpress/3.3.3
- version/wordpress/3.4.0
- version/wordpress/3.4.1
- version/wordpress/3.4.2
- version/wordpress/3.5.0
- version/wordpress/3.5.1
- version/wordpress/3.6
- version/wordpress/3.6.1
- version/wordpress/3.7
- version/wordpress/3.7.1
- version/wordpress/3.8
- version/wordpress/3.8.1
- version/wordpress/3.9.0
- vendor/drupal
- canonical/drupal
- version/drupal/6.0
- version/drupal/6.0-beta1
- version/drupal/6.0-beta2
- version/drupal/6.0-beta3
- version/drupal/6.0-beta4
- version/drupal/6.0-dev
- version/drupal/6.0-rc1
- version/drupal/6.0-rc2
- version/drupal/6.0-rc3
- version/drupal/6.0-rc4
- version/drupal/6.1
- version/drupal/6.2
- version/drupal/6.3
- version/drupal/6.4
- version/drupal/6.5
- version/drupal/6.6
- version/drupal/6.7
- version/drupal/6.8
- version/drupal/6.9
- version/drupal/6.10
- version/drupal/6.11
- version/drupal/6.12
- version/drupal/6.13
- version/drupal/6.14
- version/drupal/6.15
- version/drupal/6.16
- version/drupal/6.17
- version/drupal/6.18
- version/drupal/6.19
- version/drupal/6.20
- version/drupal/6.21
- version/drupal/6.22
- version/drupal/6.23
- version/drupal/6.24
- version/drupal/6.25
- version/drupal/6.26
- version/drupal/6.27
- version/drupal/6.28
- version/drupal/6.29
- version/drupal/6.30
- version/drupal/6.31
- version/drupal/6.32
- version/drupal/7.0
- version/drupal/7.0-alpha1
- version/drupal/7.0-alpha2
- version/drupal/7.0-alpha3
- version/drupal/7.0-alpha4
- version/drupal/7.0-alpha5
- version/drupal/7.0-alpha6
- version/drupal/7.0-alpha7
- version/drupal/7.0-beta1
- version/drupal/7.0-beta2
- version/drupal/7.0-beta3
- version/drupal/7.0-dev
- version/drupal/7.0-rc1
- version/drupal/7.0-rc2
- version/drupal/7.0-rc3
- version/drupal/7.0-rc4
- version/drupal/7.1
- version/drupal/7.2
- version/drupal/7.3
- version/drupal/7.4
- version/drupal/7.5
- version/drupal/7.6
- version/drupal/7.7
- version/drupal/7.8
- version/drupal/7.9
- version/drupal/7.10
- version/drupal/7.11
- version/drupal/7.12
- version/drupal/7.13
- version/drupal/7.14
- version/drupal/7.15
- version/drupal/7.16
- version/drupal/7.17
- version/drupal/7.18
- version/drupal/7.19
- version/drupal/7.20
- version/drupal/7.21
- version/drupal/7.22
- version/drupal/7.23
- version/drupal/7.24
- version/drupal/7.25
- version/drupal/7.26
- version/drupal/7.27
- version/drupal/7.28
- version/drupal/7.29
- version/drupal/7.30
- version/drupal/7.x-dev
- vendor/debian
- canonical/debian
- version/debian/7.0