Description
Stack consumption vulnerability in validators/DTD/DTDScanner.cpp in Apache Xerces C++ 2.7.0 and 2.8.0 allows context-dependent attackers to cause a denial of service (application crash) via vectors involving nested parentheses and invalid byte values in "simply nested DTD structures," as demonstrated by the Codenomicon XML fuzzing framework.
References (15)
Core 15
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/35986
Various Sources x_refsource_misc
http://www.networkworld.com/columnists/2009/080509-xml-flaw.html
Various Sources x_refsource_misc
http://www.cert.fi/en/reports/2009/vulnerability2009085.html
Various Sources x_refsource_misc
http://www.codenomicon.com/labs/xml/
Vendor Advisory vendor-advisory
x_refsource_fedora
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01136.html
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/36201
Patch, Vendor Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2009/2196
Patch x_refsource_confirm
http://svn.apache.org/viewvc/xerces/c/trunk/src/xercesc/validators/DTD/DTDScanner.cpp?r1=781488&r2=781487&pathrev=781488&view=patch
Vendor Advisory vendor-advisory
x_refsource_fedora
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01001.html
Vendor Advisory vendor-advisory
x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2009:223
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/52321
Vendor Advisory vendor-advisory
x_refsource_fedora
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01099.html
Exploit x_refsource_confirm
http://svn.apache.org/viewvc?view=rev&revision=781488
Patch x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=515515
Vendor Advisory vendor-advisory
x_refsource_fedora
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01150.html
Scores
EPSS
0.0532
EPSS Percentile
91.7%
Details
CWE
CWE-119
Status
published
Products (2)
apache/xerces-c\+\+
2.7.0
apache/xerces-c\+\+
2.8.0
Published
Aug 11, 2009
Tracked Since
Feb 18, 2026