CVE-2017-7375: XEE
First published: Mon Jun 05 2017(Updated: )
A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable).
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/libxml2 | 2.9.4+dfsg1-7+deb10u4 2.9.4+dfsg1-7+deb10u6 2.9.10+dfsg-6.7+deb11u4 2.9.14+dfsg-1.3~deb12u1 2.9.14+dfsg-1.3 | |
| debian/libxml2 | <=2.9.1+dfsg1-5<=2.9.4+dfsg1-2.2 | 2.9.4+dfsg1-3.1 2.9.4+dfsg1-2.2+deb9u1 2.9.1+dfsg1-5+deb8u5 |
| redhat/libxml2 | <2.9.5 | 2.9.5 |
| Android | ||
| libxml2-devel | <=2.9.4 | |
| Debian | =7.0 | |
| Debian | =8.0 | |
| Debian | =9.0 | |
| Android | =4.4.4 | |
| Android | =5.0.2 | |
| Android | =5.1.1 | |
| Android | =6.0 | |
| Android | =6.0.1 | |
| Android | =7.0 | |
| Android | =7.1.1 | |
| Android | =7.1.2 | |
| libxml2-devel | =2.9.4-rc1 | |
| libxml2-devel | =2.9.4-rc2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.gnome.org/show_bug.cgi?id=780691
- https://android.googlesource.com/platform/external/libxml2/+/308396a55280f69ad4112d4f9892f4cbeff042aa
- https://gitlab.gnome.org/GNOME/libxml2/-/commit/90ccb58242866b0ba3edbef8fe44214a101c2b3e
- https://security-tracker.debian.org/tracker/CVE-2017-7375
- https://source.android.com/security/bulletin/2017-06-01#libraries
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1462226
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1462227
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1462228
- https://gitlab.gnome.org/GNOME/libxml2/commit/90ccb582
- https://bugzilla.redhat.com/show_bug.cgi?id=1462203
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7375
- https://git.gnome.org/browse/libxml2/commit/?id=90ccb58242866b0ba3edbef8fe44214a101c2b3e
- https://bugzilla.novell.com/show_bug.cgi?id=1044894
- https://mapreri.org
- https://launchpad.net/~mapreri
- https://qa.debian.org/developer.php?login=mattia
- https://security-tracker.debian.org/tracker/CVE-2017-7376
- https://security-tracker.debian.org/tracker/CVE-2017-9049
- https://security-tracker.debian.org/tracker/CVE-2017-9050
- https://security-tracker.debian.org/tracker/CVE-2017-9047
- https://security-tracker.debian.org/tracker/CVE-2017-9048
- https://security-tracker.debian.org/tracker/CVE-2017-0663
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870867
- http://www.securityfocus.com/bid/98877
- http://www.securitytracker.com/id/1038623
- https://security.gentoo.org/glsa/201711-01
- https://source.android.com/security/bulletin/2017-06-01
- https://www.debian.org/security/2017/dsa-3952
- https://source.android.com/docs/security/bulletin/2017-06-01 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2017-7375?
CVE-2017-7375 is considered a moderate severity vulnerability due to its potential for remote exploitation.
How do I fix CVE-2017-7375?
To fix CVE-2017-7375, update libxml2 to versions 2.9.4+dfsg1-7+deb10u4 or higher for Debian systems, and 2.9.5 or higher for Red Hat systems.
Which software is affected by CVE-2017-7375?
CVE-2017-7375 affects multiple versions of libxml2 across Debian and Google Android platforms.
Can CVE-2017-7375 lead to data exposure?
Yes, CVE-2017-7375 can potentially lead to exposure of sensitive data through XML entity inclusion.
Is CVE-2017-7375 in a supported version of libxml2?
Versions of libxml2 prior to 2.9.4+dfsg1-7 and 2.9.5 are vulnerable to CVE-2017-7375 and should be updated.
- collector/security-tracker-debian
- collector/debian-bugs
- alias/CVE-2017-7375
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/weakness
- agent/references
- agent/author
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/source
- agent/softwarecombine
- agent/tags
- collector/android-source
- source/Android
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/debian
- package-manager/redhat
- vendor/google
- canonical/android
- vendor/xmlsoft
- canonical/libxml2-devel
- version/libxml2-devel/2.9.4
- vendor/debian
- canonical/debian
- version/debian/7.0
- version/debian/8.0
- version/debian/9.0
- version/android/4.4.4
- version/android/5.0.2
- version/android/5.1.1
- version/android/6.0
- version/android/6.0.1
- version/android/7.0
- version/android/7.1.1
- version/android/7.1.2
- version/libxml2-devel/2.9.4-rc1
- version/libxml2-devel/2.9.4-rc2