CVE-2023-34104: Regex Injection via Doctype Entities
First published: Tue Jun 06 2023(Updated: )
### Impact "fast-xml-parser" allows special characters in entity names, which are not escaped or sanitized. Since the entity name is used for creating a regex for searching and replacing entities in the XML body, an attacker can abuse it for DoS attacks. By crafting an entity name that results in an intentionally bad performing regex and utilizing it in the entity replacement step of the parser, this can cause the parser to stall for an indefinite amount of time. ### Patches The problem has been resolved in v4.2.4 ### Workarounds Avoid using DOCTYPE parsing by `processEntities: false` option.
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Fast-xml-parser Project Fast-xml-parser | <4.2.4 | |
| IBM Cloud Pak for Security | <=1.10.0.0 - 1.10.11.0 | |
| IBM QRadar Suite Software | <=1.10.12.0 - 1.10.16.0 | |
| redhat/fast-xml-parser | <4.2.4 | 4.2.4 |
| npm/fast-xml-parser | >=4.1.3<4.2.4 | 4.2.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/NaturalIntelligence/fast-xml-parser/commit/39b0e050bb909e8499478657f84a3076e39ce76c
- https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-6w63-h3fj-q4vw
- https://exchange.xforce.ibmcloud.com/vulnerabilities/257474
- https://www.ibm.com/support/pages/node/7080058 (Advisory)
- https://nvd.nist.gov/vuln/detail/CVE-2023-34104
- https://github.com/advisories/GHSA-6w63-h3fj-q4vw (Advisory)
- https://access.redhat.com/errata/RHSA-2023:4627
- https://access.redhat.com/security/cve/cve-2023-34104
- https://bugzilla.redhat.com/show_bug.cgi?id=2221261
- https://github.com/NaturalIntelligence/fast-xml-parser/commit/a4bdced80369892ee413bf08e28b78795a2b0d5b
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2023-34104.
What is the severity of CVE-2023-34104?
The severity of CVE-2023-34104 is high with a CVSS score of 7.5.
How does the vulnerability in fast-xml-parser affect the software?
The vulnerability in fast-xml-parser allows for a denial of service attack caused by a regular expression denial of service (ReDoS) vulnerability.
Which versions of fast-xml-parser are affected?
Versions up to but excluding 4.2.4 of fast-xml-parser are affected.
How can I fix the vulnerability in fast-xml-parser?
To fix the vulnerability in fast-xml-parser, update to version 4.2.4 or later.
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/remedy
- agent/severity
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/event
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/author
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-6w63-h3fj-q4vw
- alias/CVE-2023-34104
- collector/nvd-cve
- collector/github-advisory
- agent/tags
- agent/softwarecombine
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- agent/last-modified-date
- collector/ibm-support
- source/IBM
- vendor/fast-xml-parser project
- canonical/fast-xml-parser project fast-xml-parser
- package-manager/npm
- package-manager/redhat
- vendor/ibm
- canonical/ibm cloud pak for security
- version/ibm cloud pak for security/1.10.0.0 - 1.10.11.0
- canonical/ibm qradar suite software
- version/ibm qradar suite software/1.10.12.0 - 1.10.16.0