CVE-2017-7375: XEE
First published: Mon Jun 05 2017(Updated: )
A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable).
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/libxml2 | 2.9.4+dfsg1-7+deb10u4 2.9.4+dfsg1-7+deb10u6 2.9.10+dfsg-6.7+deb11u4 2.9.14+dfsg-1.3~deb12u1 2.9.14+dfsg-1.3 | |
| Xmlsoft Libxml2 | <=2.9.4 | |
| Debian Debian Linux | =7.0 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 | |
| Google Android | =4.4.4 | |
| Google Android | =5.0.2 | |
| Google Android | =5.1.1 | |
| Google Android | =6.0 | |
| Google Android | =6.0.1 | |
| Google Android | =7.0 | |
| Google Android | =7.1.1 | |
| Google Android | =7.1.2 | |
| Xmlsoft Libxml2 | =2.9.4-rc1 | |
| Xmlsoft Libxml2 | =2.9.4-rc2 | |
| Google Android | ||
| redhat/libxml2 | <2.9.5 | 2.9.5 |
| debian/libxml2 | <=2.9.1+dfsg1-5<=2.9.4+dfsg1-2.2 | 2.9.4+dfsg1-3.1 2.9.4+dfsg1-2.2+deb9u1 2.9.1+dfsg1-5+deb8u5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.gnome.org/show_bug.cgi?id=780691
- https://android.googlesource.com/platform/external/libxml2/+/308396a55280f69ad4112d4f9892f4cbeff042aa
- https://gitlab.gnome.org/GNOME/libxml2/-/commit/90ccb58242866b0ba3edbef8fe44214a101c2b3e
- https://security-tracker.debian.org/tracker/CVE-2017-7375
- https://source.android.com/security/bulletin/2017-06-01#libraries
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1462226
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1462227
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1462228
- https://gitlab.gnome.org/GNOME/libxml2/commit/90ccb582
- https://bugzilla.redhat.com/show_bug.cgi?id=1462203
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7375
- https://git.gnome.org/browse/libxml2/commit/?id=90ccb58242866b0ba3edbef8fe44214a101c2b3e
- https://bugzilla.novell.com/show_bug.cgi?id=1044894
- https://mapreri.org
- https://launchpad.net/~mapreri
- https://qa.debian.org/developer.php?login=mattia
- https://security-tracker.debian.org/tracker/CVE-2017-7376
- https://security-tracker.debian.org/tracker/CVE-2017-9049
- https://security-tracker.debian.org/tracker/CVE-2017-9050
- https://security-tracker.debian.org/tracker/CVE-2017-9047
- https://security-tracker.debian.org/tracker/CVE-2017-9048
- https://security-tracker.debian.org/tracker/CVE-2017-0663
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870867
- http://www.securityfocus.com/bid/98877
- http://www.securitytracker.com/id/1038623
- https://security.gentoo.org/glsa/201711-01
- https://source.android.com/security/bulletin/2017-06-01
- https://www.debian.org/security/2017/dsa-3952
- https://source.android.com/docs/security/bulletin/2017-06-01 (Advisory)
- collector/security-tracker-debian
- collector/debian-bugs
- alias/CVE-2017-7375
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/android-source
- source/Android
- agent/software-canonical-lookup
- agent/weakness
- agent/references
- agent/author
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- package-manager/debian
- vendor/xmlsoft
- canonical/xmlsoft libxml2
- version/xmlsoft libxml2/2.9.4
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/7.0
- version/debian debian linux/8.0
- version/debian debian linux/9.0
- vendor/google
- canonical/google android
- version/google android/4.4.4
- version/google android/5.0.2
- version/google android/5.1.1
- version/google android/6.0
- version/google android/6.0.1
- version/google android/7.0
- version/google android/7.1.1
- version/google android/7.1.2
- version/xmlsoft libxml2/2.9.4-rc1
- version/xmlsoft libxml2/2.9.4-rc2
- package-manager/redhat