CVE-2024-40896
CRITICALlibxml2 2.11.0-2.11.8, 2.12.0-2.12.8, 2.13.0-2.13.2 - XML External Entity Injection via SAX Parser
Title source: llmDescription
In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible.
References (3)
Core 3
Core References
Issue Tracking
https://gitlab.gnome.org/GNOME/libxml2/-/commit/1a8932303969907f6572b1b6aac4081c56adb5c6
Issue Tracking
https://gitlab.gnome.org/GNOME/libxml2/-/issues/761
Third Party Advisory
https://security.netapp.com/advisory/ntap-20250228-0004/
Scores
CVSS v3
9.1
EPSS
0.0117
EPSS Percentile
63.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-611
Status
published
Products (9)
netapp/h300s_firmware
netapp/h410c_firmware
netapp/h410s_firmware
netapp/h500s_firmware
netapp/h700s_firmware
netapp/hci_compute_node
netapp/solidfire_\&_hci_management_node
netapp/solidfire_\&_hci_storage_node
xmlsoft/libxml2
2.11.0 - 2.11.9
Published
Dec 23, 2024
Tracked Since
Feb 18, 2026