First published: Tue Jul 05 2022(Updated: )
NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.
Credit: security@huntr.dev security@huntr.dev
Affected Software | Affected Version | How to fix |
---|---|---|
pip/lxml | <4.9.1 | 4.9.1 |
Lxml Lxml | <4.9.1 | |
Xmlsoft Libxml2 | >=2.9.10<=2.9.14 | |
Fedoraproject Fedora | =36 | |
Fedoraproject Fedora | =37 | |
All of | ||
Xmlsoft Libxml2 | >=2.9.10<=2.9.14 | |
Lxml Lxml | <4.9.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-2309 is a vulnerability that allows attackers to cause a denial of service or application crash in lxml when used with libxml2 2.9.10 through 2.9.14.
The severity of CVE-2022-2309 is medium with a CVSS score of 5.3.
CVE-2022-2309 affects lxml when used with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier versions are not affected.
An attacker can exploit CVE-2022-2309 by triggering crashes through forged input data when vulnerable code is executed.
To fix CVE-2022-2309, update lxml to version 4.9.1 using pip.