CVE-2024-23807
CRITICALApache Xerces C++ 3.0.0-3.2.4 - Use-After-Free in External DTD Scanning
Title source: llmDescription
The Apache Xerces C++ XML parser on versions 3.0.0 before 3.2.5 contains a use-after-free error triggered during the scanning of external DTDs. Users are recommended to upgrade to version 3.2.5 which fixes the issue, or mitigate the issue by disabling DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable. This issue has been disclosed before as CVE-2018-1311, but unfortunately that advisory incorrectly stated the issue would be fixed in version 3.2.3 or 3.2.4.
References (2)
Core 2
Core References
Exploit, Patch, Third Party Advisory patch
https://github.com/apache/xerces-c/pull/54
Mailing List, Patch, Vendor Advisory vendor-advisory
https://lists.apache.org/thread/c497tgn864tsbm8w0bo3f0d81s07zk9r
Scores
CVSS v3
9.8
EPSS
0.0050
EPSS Percentile
66.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-416
Status
published
Products (1)
apache/xerces-c\+\+
3.0.0 - 3.2.5
Published
Feb 29, 2024
Tracked Since
Feb 18, 2026