First published: Fri Feb 18 2022(Updated: )
A flaw was found in expat. A stack exhaustion in doctype parsing could be triggered by a file with a large number of opening braces, resulting in a denial of service.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/expat | <2.4.5 | 2.4.5 |
redhat/mingw-expat | <0:2.4.8-1.el8 | 0:2.4.8-1.el8 |
redhat/expat | <0:2.2.5-8.el8_6.2 | 0:2.2.5-8.el8_6.2 |
redhat/expat | <0:2.2.10-12.el9_0.2 | 0:2.2.10-12.el9_0.2 |
debian/expat | 2.2.6-2+deb10u4 2.2.6-2+deb10u6 2.2.10-2+deb11u5 2.5.0-1 2.5.0-2 | |
Libexpat Project Libexpat | <2.4.5 | |
Debian Debian Linux | =10.0 | |
Debian Debian Linux | =11.0 | |
Fedoraproject Fedora | =34 | |
Fedoraproject Fedora | =35 | |
Oracle HTTP Server | =12.2.1.3.0 | |
Oracle HTTP Server | =12.2.1.4.0 | |
Oracle ZFS Storage Appliance Kit | =8.8 | |
Siemens SINEMA Remote Connect Server | <3.1 |
There is no known mitigation other than restricting applications using the expat library from processing untrusted XML content.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2022-25313 is a vulnerability in Expat (aka libexpat) before version 2.4.5 that can trigger stack exhaustion and result in denial of service.
CVE-2022-25313 has a severity value of 6.5, which is considered medium.
Expat versions before 2.4.5 are affected by CVE-2022-25313.
To fix CVE-2022-25313, update Expat to version 2.4.5 or later.
You can find more information about CVE-2022-25313 at the following references: [link1], [link2], [link3].