First published: Sun Jan 23 2022(Updated: )
Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/expat | <0:2.1.0-14.el7_9 | 0:2.1.0-14.el7_9 |
redhat/expat | <0:2.2.5-4.el8_5.3 | 0:2.2.5-4.el8_5.3 |
redhat/expat | <0:2.2.5-4.el8_4.3 | 0:2.2.5-4.el8_4.3 |
Libexpat Project Libexpat | <2.4.4 | |
NetApp Clustered Data ONTAP | ||
NetApp OnCommand Workflow Automation | ||
Tenable Nessus | <8.15.3 | |
Tenable Nessus | >=10.0.0<10.1.1 | |
Oracle Communications Metasolv Solution | =6.3.1 | |
Debian Debian Linux | =9.0 | |
Siemens SINEMA Remote Connect Server | <3.1 | |
redhat/expat | <2.4.4 | 2.4.4 |
Google Android | ||
debian/expat | 2.2.10-2+deb11u5 2.2.10-2+deb11u6 2.5.0-1+deb12u1 2.6.4-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2022-23852 is a vulnerability in expat (libexpat) that can cause process interruption due to an integer overflow when processing a large number of prefixed XML attributes on a single tag.
The severity of CVE-2022-23852 is critical with a CVSS score of 9.8.
Expat (libexpat) versions before 2.4.4 are affected by CVE-2022-23852.
To fix CVE-2022-23852, update expat to version 2.4.4.
You can find more information about CVE-2022-23852 at the following references: [link1](https://github.com/libexpat/libexpat/pull/550), [link2](https://bugzilla.suse.com/1195054), [link3](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2052320).