7.5
CWE
476
Advisory Published
Advisory Published
Updated

CVE-2022-2309: NULL Pointer Dereference in lxml/lxml

First published: Tue Jul 05 2022(Updated: )

NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.

Credit: security@huntr.dev security@huntr.dev

Affected SoftwareAffected VersionHow to fix
pip/lxml<4.9.1
4.9.1
Lxml Lxml<4.9.1
Xmlsoft Libxml2>=2.9.10<=2.9.14
Fedoraproject Fedora=36
Fedoraproject Fedora=37
All of
Xmlsoft Libxml2>=2.9.10<=2.9.14
Lxml Lxml<4.9.1

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is CVE-2022-2309?

    CVE-2022-2309 is a vulnerability that allows attackers to cause a denial of service or application crash in lxml when used with libxml2 2.9.10 through 2.9.14.

  • What is the severity of CVE-2022-2309?

    The severity of CVE-2022-2309 is medium with a CVSS score of 5.3.

  • Which software versions are affected by CVE-2022-2309?

    CVE-2022-2309 affects lxml when used with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier versions are not affected.

  • How can an attacker exploit CVE-2022-2309?

    An attacker can exploit CVE-2022-2309 by triggering crashes through forged input data when vulnerable code is executed.

  • How can I fix CVE-2022-2309?

    To fix CVE-2022-2309, update lxml to version 4.9.1 using pip.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203