CVE-2024-28757

HIGH

Libexpat < 2.6.2 - XML Entity Expansion

Title source: rule

Description

libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).

Exploits (3)

nomisec WRITEUP

by saurabh2088 · poc

https://github.com/saurabh2088/expat_2_1_0_CVE-2024-28757

View Code ZIP pw:eip

nomisec

by saurabh2088 · poc

https://github.com/saurabh2088/expat_2_1_1_CVE-2024-28757

View on nomisec

nomisec WRITEUP

by RenukaSelvar · poc

https://github.com/RenukaSelvar/expat_CVE-2024-28757

View Code ZIP pw:eip

References (10)

[Exploit, Issue Tracking, Patch] https://github.com/libexpat/libexpat/issues/839

[Issue Tracking, Patch] https://github.com/libexpat/libexpat/pull/842

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20240322-0001/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/FPLC6WDSRDUYS7F7JWAOVOHFNOUQ43DD/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/LKJ7V5F6LJCEQJXDBWGT27J7NAP3E3N7/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/VK2O34GH43NTHBZBN7G5Y6YKJKPUCTBE/

[Mailing List] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPLC6WDSRDUYS7F7JWAOVOHFNOUQ43DD/

[Mailing List] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKJ7V5F6LJCEQJXDBWGT27J7NAP3E3N7/

[Mailing List] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VK2O34GH43NTHBZBN7G5Y6YKJKPUCTBE/

[Mailing List, Patch, Release Notes] http://www.openwall.com/lists/oss-security/2024/03/15/1

Scores

CVSS v3 7.5

EPSS 0.0123

EPSS Percentile 79.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-776

Status published

Products (16)

fedoraproject/fedora 38

fedoraproject/fedora 39

fedoraproject/fedora 40

libexpat_project/libexpat < 2.6.2

netapp/active_iq_unified_manager

netapp/h300s_firmware

netapp/h410c_firmware

netapp/h410s_firmware

netapp/h500s_firmware

netapp/h610c_firmware

... and 6 more

Published Mar 10, 2024

Tracked Since Feb 18, 2026