CVE-2023-34194
First published: Wed Dec 13 2023(Updated: )
StringEqual in TiXmlDeclaration::Parse in tinyxmlparser.cpp in TinyXML through 2.6.2 has a reachable assertion (and application exit) via a crafted XML document with a '\0' located after whitespace.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/tinyxml | <=2.6.2-4 | 2.6.2-4+deb10u2 2.6.2-4+deb11u2 2.6.2-6+deb12u1 2.6.2-6.1 |
| ubuntu/tinyxml | <2.6.2-4ubuntu0.18.04.1~ | 2.6.2-4ubuntu0.18.04.1~ |
| ubuntu/tinyxml | <2.6.2-4+ | 2.6.2-4+ |
| ubuntu/tinyxml | <2.6.2-6ubuntu0.22.04.1 | 2.6.2-6ubuntu0.22.04.1 |
| ubuntu/tinyxml | <2.6.2-6ubuntu0.23.10.1 | 2.6.2-6ubuntu0.23.10.1 |
| ubuntu/tinyxml | <2.6.2-6.1 | 2.6.2-6.1 |
| ubuntu/tinyxml | <2.6.2-3ubuntu0.1~ | 2.6.2-3ubuntu0.1~ |
| TinyXML | <=2.6.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://sourceforge.net/p/tinyxml/git/ci/master/tree/tinyxmlparser.cpp
- https://www.forescout.com/resources/sierra21-vulnerabilities
- https://lists.debian.org/debian-lts-announce/2023/12/msg00024.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4QCR5PIOBGDIDS6SYRESTMDJSEDFSCOE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HOMBSHRIW5Q34SQSXYURYAOYDZD2NQF6/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4QCR5PIOBGDIDS6SYRESTMDJSEDFSCOE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HOMBSHRIW5Q34SQSXYURYAOYDZD2NQF6/
- https://launchpad.net/bugs/cve/CVE-2023-34194
- https://salsa.debian.org/debian/tinyxml/-/raw/2366e1f23d059d4c20c43c54176b6bd78d6a83fc/debian/patches/CVE-2023-34194.patch
- https://security-tracker.debian.org/tracker/CVE-2023-34194
- https://ubuntu.com/security/notices/USN-6612-1
- https://www.cve.org/CVERecord?id=CVE-2023-34194
- https://nvd.nist.gov/vuln/detail/CVE-2023-34194
- https://ubuntu.com/security/CVE-2023-34194
Frequently Asked Questions
What is the severity of CVE-2023-34194?
CVE-2023-34194 is considered a security vulnerability that leads to a reachable assertion failure and application exit.
How do I fix CVE-2023-34194?
To fix CVE-2023-34194, upgrade TinyXML to a version above 2.6.2, such as 2.6.2-5 or later.
Which versions of TinyXML are affected by CVE-2023-34194?
CVE-2023-34194 affects all TinyXML versions up to and including 2.6.2.
What software is impacted by CVE-2023-34194?
CVE-2023-34194 impacts TinyXML versions through 2.6.2 across various Debian and Ubuntu packages.
Is there a specific patch for CVE-2023-34194?
There is no specific patch; users need to upgrade to the fixed version of TinyXML to mitigate CVE-2023-34194.
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/last-modified-date
- agent/severity
- agent/remedy
- agent/description
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-api
- package-manager/debian
- package-manager/ubuntu
- vendor/tinyxml project
- canonical/tinyxml
- version/tinyxml/2.6.2