CVE-2008-3281 - Vulnerability Details

libxml2 2.6.32 and earlier does not properly detect recursion during entity expansion in an attribute value, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apple	Iphone Os Safari
Canonical	Ubuntu Linux
Debian	Debian Linux
Fedoraproject	Fedora
Redhat	Enterprise Linux Enterprise Linux Desktop Enterprise Linux Eus Enterprise Linux Server Enterprise Linux Workstation
Vmware	Esx
Xmlsoft	Libxml2

Configuration 1 [-]

cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:apple:safari::::::::
	cpe:2.3:o:apple:iphone_os::::::::

Configuration 3 [-]

cpe:2.3:o:fedoraproject:fedora:9:*:*:*:*:*:*:*

Configuration 4 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:6.06:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:7.04:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:7.10:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:8.04:::::::*

Configuration 5 [-]

cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*

Configuration 6 [-]

OR	cpe:2.3:o:redhat:enterprise_linux_desktop:3.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_desktop:4.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:4.7:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:5.2:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server:2.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server:3.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server:4.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server:5.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_workstation:2.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_workstation:3.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_workstation:4.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:::::::*

Configuration 7 [-]

OR	cpe:2.3:o:vmware:esx:2.5.4:::::::*
	cpe:2.3:o:vmware:esx:2.5.5:::::::*
	cpe:2.3:o:vmware:esx:3.0.2:::::::*
	cpe:2.3:o:vmware:esx:3.0.3:::::::*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 2.1
libxml2-0:2.4.19-9.ent	cpe:/o:redhat:enterprise_linux:2.1	RHSA-2008:0836	2008-08-21T00:00:00Z
Red Hat Enterprise Linux 3
libxml2-0:2.5.10-11	cpe:/o:redhat:enterprise_linux:3	RHSA-2008:0836	2008-08-21T00:00:00Z
Red Hat Enterprise Linux 4
libxml2-0:2.6.16-12.3	cpe:/o:redhat:enterprise_linux:4	RHSA-2008:0836	2008-08-21T00:00:00Z
Red Hat Enterprise Linux 5
libxml2-0:2.6.26-2.1.2.4	cpe:/o:redhat:enterprise_linux:5	RHSA-2008:0836	2008-08-21T00:00:00Z

References

Link	Providers
http://lists.apple.com/archives/security-announce/2009/Jun/msg00005.html
http://lists.apple.com/archives/security-announce/2009/jun/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html
http://lists.vmware.com/pipermail/security-announce/2008/000039.html
http://mail.gnome.org/archives/xml/2008-August/msg00034.html
http://secunia.com/advisories/31558
http://secunia.com/advisories/31566
http://secunia.com/advisories/31590
http://secunia.com/advisories/31728
http://secunia.com/advisories/31748
http://secunia.com/advisories/31855
http://secunia.com/advisories/31982
http://secunia.com/advisories/32488
http://secunia.com/advisories/32807
http://secunia.com/advisories/32974
http://secunia.com/advisories/35379
http://security.gentoo.org/glsa/glsa-200812-06.xml
http://support.apple.com/kb/HT3613
http://support.apple.com/kb/HT3639
http://svn.gnome.org/viewvc/libxml2?view=revision&revision=3772
http://wiki.rpath.com/Advisories:rPSA-2008-0325
http://www.debian.org/security/2008/dsa-1631
http://www.mandriva.com/security/advisories?name=MDVSA-2008:180
http://www.mandriva.com/security/advisories?name=MDVSA-2008:192
http://www.securityfocus.com/archive/1/497962/100/0/threaded
http://www.securityfocus.com/bid/30783
http://www.securitytracker.com/id?1020728
http://www.ubuntu.com/usn/usn-640-1
http://www.vmware.com/security/advisories/VMSA-2008-0017.html
http://www.vupen.com/english/advisories/2008/2419
http://www.vupen.com/english/advisories/2008/2843
http://www.vupen.com/english/advisories/2008/2971
http://www.vupen.com/english/advisories/2009/1522
http://www.vupen.com/english/advisories/2009/1621
http://xmlsoft.org/news.html
https://bugzilla.redhat.com/show_bug.cgi?id=458086
https://nvd.nist.gov/vuln/detail/CVE-2008-3281
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6496
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9812
https://rhn.redhat.com/errata/RHSA-2008-0836.html
https://usn.ubuntu.com/644-1/
https://www.cve.org/CVERecord?id=CVE-2008-3281
https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00261.html
https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00347.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2008-08-27T20:00:00

Updated: 2024-08-07T09:28:41.985Z

Reserved: 2008-07-24T00:00:00

Link: CVE-2008-3281

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2008-08-27T20:41:00.000

Modified: 2025-04-09T00:30:58.490

Link: CVE-2008-3281

Redhat

Severity : Moderate

Publid Date: 2008-08-20T00:00:00Z

Links: CVE-2008-3281 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2008-08-20T00:00:00", "descriptions": [{"lang": "en", "value": "libxml2 2.6.32 and earlier does not properly detect recursion during entity expansion in an attribute value, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-11T19:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "USN-644-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/644-1/"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://support.apple.com/kb/HT3639"}, {"name": "31855", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/31855"}, {"name": "1020728", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id?1020728"}, {"name": "ADV-2009-1621", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2009/1621"}, {"name": "FEDORA-2008-7395", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00347.html"}, {"name": "RHSA-2008:0836", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://rhn.redhat.com/errata/RHSA-2008-0836.html"}, {"name": "32807", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/32807"}, {"name": "APPLE-SA-2009-06-08-1", "tags": ["vendor-advisory", "x_refsource_APPLE"], "url": "http://lists.apple.com/archives/security-announce/2009/jun/msg00002.html"}, {"name": "31982", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/31982"}, {"name": "ADV-2008-2971", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2008/2971"}, {"tags": ["x_refsource_MISC"], "url": "http://www.vmware.com/security/advisories/VMSA-2008-0017.html"}, {"name": "ADV-2008-2843", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2008/2843"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://xmlsoft.org/news.html"}, {"name": "31590", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/31590"}, {"name": "ADV-2009-1522", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2009/1522"}, {"name": "20081031 VMSA-2008-0017 Updated ESX packages for libxml2, ucd-snmp, libtiff", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/497962/100/0/threaded"}, {"name": "USN-640-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/usn-640-1"}, {"name": "31728", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/31728"}, {"name": "GLSA-200812-06", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "http://security.gentoo.org/glsa/glsa-200812-06.xml"}, {"name": "APPLE-SA-2009-06-17-1", "tags": ["vendor-advisory", "x_refsource_APPLE"], "url": "http://lists.apple.com/archives/security-announce/2009/Jun/msg00005.html"}, {"name": "32488", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/32488"}, {"name": "SUSE-SR:2008:018", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html"}, {"name": "31566", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/31566"}, {"name": "30783", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/30783"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://wiki.rpath.com/Advisories:rPSA-2008-0325"}, {"name": "oval:org.mitre.oval:def:6496", "tags": ["vdb-entry", "signature", "x_refsource_OVAL"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6496"}, {"name": "ADV-2008-2419", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2008/2419"}, {"name": "35379", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/35379"}, {"name": "MDVSA-2008:192", "tags": ["vendor-advisory", "x_refsource_MANDRIVA"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:192"}, {"name": "32974", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/32974"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://svn.gnome.org/viewvc/libxml2?view=revision&revision=3772"}, {"name": "FEDORA-2008-7594", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00261.html"}, {"name": "DSA-1631", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2008/dsa-1631"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=458086"}, {"name": "[xml] 20080820 Security fix for libxml2", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://mail.gnome.org/archives/xml/2008-August/msg00034.html"}, {"name": "oval:org.mitre.oval:def:9812", "tags": ["vdb-entry", "signature", "x_refsource_OVAL"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9812"}, {"name": "MDVSA-2008:180", "tags": ["vendor-advisory", "x_refsource_MANDRIVA"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:180"}, {"name": "31558", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/31558"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://support.apple.com/kb/HT3613"}, {"name": "[Security-announce] 20081030 VMSA-2008-0017 Updated ESX packages for libxml2, ucd-snmp, libtiff", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://lists.vmware.com/pipermail/security-announce/2008/000039.html"}, {"name": "31748", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/31748"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T09:28:41.985Z"}, "title": "CVE Program Container", "references": [{"name": "USN-644-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/644-1/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://support.apple.com/kb/HT3639"}, {"name": "31855", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/31855"}, {"name": "1020728", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id?1020728"}, {"name": "ADV-2009-1621", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2009/1621"}, {"name": "FEDORA-2008-7395", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00347.html"}, {"name": "RHSA-2008:0836", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://rhn.redhat.com/errata/RHSA-2008-0836.html"}, {"name": "32807", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/32807"}, {"name": "APPLE-SA-2009-06-08-1", "tags": ["vendor-advisory", "x_refsource_APPLE", "x_transferred"], "url": "http://lists.apple.com/archives/security-announce/2009/jun/msg00002.html"}, {"name": "31982", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/31982"}, {"name": "ADV-2008-2971", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2008/2971"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.vmware.com/security/advisories/VMSA-2008-0017.html"}, {"name": "ADV-2008-2843", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2008/2843"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://xmlsoft.org/news.html"}, {"name": "31590", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/31590"}, {"name": "ADV-2009-1522", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2009/1522"}, {"name": "20081031 VMSA-2008-0017 Updated ESX packages for libxml2, ucd-snmp, libtiff", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/497962/100/0/threaded"}, {"name": "USN-640-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/usn-640-1"}, {"name": "31728", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/31728"}, {"name": "GLSA-200812-06", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "http://security.gentoo.org/glsa/glsa-200812-06.xml"}, {"name": "APPLE-SA-2009-06-17-1", "tags": ["vendor-advisory", "x_refsource_APPLE", "x_transferred"], "url": "http://lists.apple.com/archives/security-announce/2009/Jun/msg00005.html"}, {"name": "32488", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/32488"}, {"name": "SUSE-SR:2008:018", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html"}, {"name": "31566", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/31566"}, {"name": "30783", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/30783"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://wiki.rpath.com/Advisories:rPSA-2008-0325"}, {"name": "oval:org.mitre.oval:def:6496", "tags": ["vdb-entry", "signature", "x_refsource_OVAL", "x_transferred"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6496"}, {"name": "ADV-2008-2419", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2008/2419"}, {"name": "35379", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/35379"}, {"name": "MDVSA-2008:192", "tags": ["vendor-advisory", "x_refsource_MANDRIVA", "x_transferred"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:192"}, {"name": "32974", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/32974"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://svn.gnome.org/viewvc/libxml2?view=revision&revision=3772"}, {"name": "FEDORA-2008-7594", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00261.html"}, {"name": "DSA-1631", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2008/dsa-1631"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=458086"}, {"name": "[xml] 20080820 Security fix for libxml2", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://mail.gnome.org/archives/xml/2008-August/msg00034.html"}, {"name": "oval:org.mitre.oval:def:9812", "tags": ["vdb-entry", "signature", "x_refsource_OVAL", "x_transferred"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9812"}, {"name": "MDVSA-2008:180", "tags": ["vendor-advisory", "x_refsource_MANDRIVA", "x_transferred"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:180"}, {"name": "31558", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/31558"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://support.apple.com/kb/HT3613"}, {"name": "[Security-announce] 20081030 VMSA-2008-0017 Updated ESX packages for libxml2, ucd-snmp, libtiff", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://lists.vmware.com/pipermail/security-announce/2008/000039.html"}, {"name": "31748", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/31748"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2008-3281", "datePublished": "2008-08-27T20:00:00", "dateReserved": "2008-07-24T00:00:00", "dateUpdated": "2024-08-07T09:28:41.985Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*", "matchCriteriaId": "66E994C3-52FD-41F8-B310-3B1C549D2D62", "versionEndIncluding": "2.6.32", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*", "matchCriteriaId": "212BF588-5C81-4801-A76D-73FB1DE211EA", "versionEndExcluding": "4.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "matchCriteriaId": "6717E295-F796-48DE-8F4B-B2B00B3C6589", "versionEndExcluding": "3.0", "versionStartIncluding": "1.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:9:*:*:*:*:*:*:*", "matchCriteriaId": "743CBBB1-C140-4FEF-B40E-FAE4511B1140", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:*:*:*:*", "matchCriteriaId": "454A5D17-B171-4F1F-9E0B-F18D1E5CA9FD", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:7.04:*:*:*:*:*:*:*", "matchCriteriaId": "6EBDAFF8-DE44-4E80-B6BD-E341F767F501", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:7.10:*:*:*:*:*:*:*", "matchCriteriaId": "823BF8BE-2309-4F67-A5E2-EAD98F723468", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:*:*:*:*", "matchCriteriaId": "C0507E91-567A-41D6-A7E5-5088A39F75FB", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "0F92AB32-E7DE-43F4-B877-1F41FA162EC7", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux_desktop:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "AF3BBBC3-3EF9-4E24-9DE2-627E172A5473", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_desktop:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "7D74A418-50F0-42C0-ABBC-BBBE718FF025", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:*", "matchCriteriaId": "133AAFA7-AF42-4D7B-8822-AA2E85611BF5", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:4.7:*:*:*:*:*:*:*", "matchCriteriaId": "E1CA1D49-76E7-4195-98AF-BE916040ECC3", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:5.2:*:*:*:*:*:*:*", "matchCriteriaId": "4814716C-514C-40F7-A59B-ED61F14658DA", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "0F9EF63F-DDA3-448B-92D7-27ED92C51FED", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "397313C3-6BF5-4A87-90B3-55678E807171", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "73322DEE-27A6-4D18-88A3-ED7F9CAEABD5", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:*", "matchCriteriaId": "54D669D4-6D7E-449D-80C1-28FA44F06FFE", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_workstation:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "53A61204-33CE-422F-8285-20A5E98ADF3F", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_workstation:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "E2FE6DAA-4702-409A-98B6-DE13B12805A1", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_workstation:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "5B5DCF29-6830-45FF-BC88-17E2249C653D", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:*", "matchCriteriaId": "D0AC5CD5-6E58-433C-9EB3-6DFE5656463E", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:vmware:esx:2.5.4:*:*:*:*:*:*:*", "matchCriteriaId": "C1BA6DF4-4D53-482A-8820-B9B0E6EBD51D", "vulnerable": true}, {"criteria": "cpe:2.3:o:vmware:esx:2.5.5:*:*:*:*:*:*:*", "matchCriteriaId": "ECFD8D25-7FDF-48DF-8728-5875C44FFB53", "vulnerable": true}, {"criteria": "cpe:2.3:o:vmware:esx:3.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "CE7ECF1C-285C-4AA3-8B66-28EDAB0763E8", "vulnerable": true}, {"criteria": "cpe:2.3:o:vmware:esx:3.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "902BA958-06AA-4EDF-9F9E-1030083EA361", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "libxml2 2.6.32 and earlier does not properly detect recursion during entity expansion in an attribute value, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document."}, {"lang": "es", "value": "libxml2 2.6.32 y anteriores, no detecta correctamente la recursividad durante la expansi\u00f3n de una entidad en un valor de un atributo; esto permite a atacantes dependientes del contexto provocar una denegaci\u00f3n de servicio (consumo de la memoria y la CPU) mediante un documento XML manipulado."}], "id": "CVE-2008-3281", "lastModified": "2025-04-09T00:30:58.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2008-08-27T20:41:00.000", "references": [{"source": "secalert@redhat.com", "tags": ["Mailing List"], "url": "http://lists.apple.com/archives/security-announce/2009/Jun/msg00005.html"}, {"source": "secalert@redhat.com", "tags": ["Broken Link", "Mailing List"], "url": "http://lists.apple.com/archives/security-announce/2009/jun/msg00002.html"}, {"source": "secalert@redhat.com", "tags": ["Mailing List"], "url": "http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html"}, {"source": "secalert@redhat.com", "tags": ["Broken Link"], "url": "http://lists.vmware.com/pipermail/security-announce/2008/000039.html"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Patch"], "url": "http://mail.gnome.org/archives/xml/2008-August/msg00034.html"}, {"source": "secalert@redhat.com", "tags": ["Broken Link"], "url": "http://secunia.com/advisories/31558"}, {"source": "secalert@redhat.com", "tags": ["Broken Link"], "url": "http://secunia.com/advisories/31566"}, {"source": "secalert@redhat.com", "tags": ["Broken Link"], "url": "http://secunia.com/advisories/31590"}, {"source": "secalert@redhat.com", "tags": ["Broken Link"], "url": "http://secunia.com/advisories/31728"}, {"source": "secalert@redhat.com", "tags": ["Broken Link"], "url": "http://secunia.com/advisories/31748"}, {"source": "secalert@redhat.com", "tags": ["Broken Link"], "url": "http://secunia.com/advisories/31855"}, {"source": "secalert@redhat.com", "tags": ["Broken Link"], "url": "http://secunia.com/advisories/31982"}, {"source": "secalert@redhat.com", "tags": ["Broken Link"], "url": "http://secunia.com/advisories/32488"}, {"source": "secalert@redhat.com", "tags": ["Broken Link"], "url": "http://secunia.com/advisories/32807"}, {"source": "secalert@redhat.com", "tags": ["Broken Link"], "url": "http://secunia.com/advisories/32974"}, {"source": "secalert@redhat.com", "tags": ["Broken Link"], "url": "http://secunia.com/advisories/35379"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://security.gentoo.org/glsa/glsa-200812-06.xml"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://support.apple.com/kb/HT3613"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://support.apple.com/kb/HT3639"}, {"source": "secalert@redhat.com", "tags": ["Broken Link"], "url": "http://svn.gnome.org/viewvc/libxml2?view=revision&revision=3772"}, {"source": "secalert@redhat.com", "tags": ["Broken Link"], "url": "http://wiki.rpath.com/Advisories:rPSA-2008-0325"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.debian.org/security/2008/dsa-1631"}, {"source": "secalert@redhat.com", "tags": ["Broken Link"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:180"}, {"source": "secalert@redhat.com", "tags": ["Broken Link"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:192"}, {"source": "secalert@redhat.com", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/archive/1/497962/100/0/threaded"}, {"source": "secalert@redhat.com", "tags": ["Broken Link", "Patch", "Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/30783"}, {"source": "secalert@redhat.com", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id?1020728"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/usn-640-1"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://www.vmware.com/security/advisories/VMSA-2008-0017.html"}, {"source": "secalert@redhat.com", "tags": ["Broken Link"], "url": "http://www.vupen.com/english/advisories/2008/2419"}, {"source": "secalert@redhat.com", "tags": ["Broken Link"], "url": "http://www.vupen.com/english/advisories/2008/2843"}, {"source": "secalert@redhat.com", "tags": ["Broken Link"], "url": "http://www.vupen.com/english/advisories/2008/2971"}, {"source": "secalert@redhat.com", "tags": ["Broken Link"], "url": "http://www.vupen.com/english/advisories/2009/1522"}, {"source": "secalert@redhat.com", "tags": ["Broken Link"], "url": "http://www.vupen.com/english/advisories/2009/1621"}, {"source": "secalert@redhat.com", "tags": ["Release Notes"], "url": "http://xmlsoft.org/news.html"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=458086"}, {"source": "secalert@redhat.com", "tags": ["Broken Link"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6496"}, {"source": "secalert@redhat.com", "tags": ["Broken Link"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9812"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://rhn.redhat.com/errata/RHSA-2008-0836.html"}, {"source": "secalert@redhat.com", "tags": ["Broken Link"], "url": "https://usn.ubuntu.com/644-1/"}, {"source": "secalert@redhat.com", "tags": ["Mailing List"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00261.html"}, {"source": "secalert@redhat.com", "tags": ["Mailing List"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00347.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "http://lists.apple.com/archives/security-announce/2009/Jun/msg00005.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link", "Mailing List"], "url": "http://lists.apple.com/archives/security-announce/2009/jun/msg00002.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://lists.vmware.com/pipermail/security-announce/2008/000039.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch"], "url": "http://mail.gnome.org/archives/xml/2008-August/msg00034.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://secunia.com/advisories/31558"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://secunia.com/advisories/31566"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://secunia.com/advisories/31590"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://secunia.com/advisories/31728"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://secunia.com/advisories/31748"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://secunia.com/advisories/31855"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://secunia.com/advisories/31982"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://secunia.com/advisories/32488"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://secunia.com/advisories/32807"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://secunia.com/advisories/32974"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://secunia.com/advisories/35379"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://security.gentoo.org/glsa/glsa-200812-06.xml"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://support.apple.com/kb/HT3613"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://support.apple.com/kb/HT3639"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://svn.gnome.org/viewvc/libxml2?view=revision&revision=3772"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://wiki.rpath.com/Advisories:rPSA-2008-0325"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.debian.org/security/2008/dsa-1631"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:180"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:192"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/archive/1/497962/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link", "Patch", "Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/30783"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id?1020728"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/usn-640-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.vmware.com/security/advisories/VMSA-2008-0017.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://www.vupen.com/english/advisories/2008/2419"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://www.vupen.com/english/advisories/2008/2843"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://www.vupen.com/english/advisories/2008/2971"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://www.vupen.com/english/advisories/2009/1522"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://www.vupen.com/english/advisories/2009/1621"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "http://xmlsoft.org/news.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=458086"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6496"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9812"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://rhn.redhat.com/errata/RHSA-2008-0836.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "https://usn.ubuntu.com/644-1/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00261.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00347.html"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-776"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Andreas Solberg for reporting this issue.", "affected_release": [{"advisory": "RHSA-2008:0836", "cpe": "cpe:/o:redhat:enterprise_linux:2.1", "package": "libxml2-0:2.4.19-9.ent", "product_name": "Red Hat Enterprise Linux 2.1", "release_date": "2008-08-21T00:00:00Z"}, {"advisory": "RHSA-2008:0836", "cpe": "cpe:/o:redhat:enterprise_linux:3", "package": "libxml2-0:2.5.10-11", "product_name": "Red Hat Enterprise Linux 3", "release_date": "2008-08-21T00:00:00Z"}, {"advisory": "RHSA-2008:0836", "cpe": "cpe:/o:redhat:enterprise_linux:4", "package": "libxml2-0:2.6.16-12.3", "product_name": "Red Hat Enterprise Linux 4", "release_date": "2008-08-21T00:00:00Z"}, {"advisory": "RHSA-2008:0836", "cpe": "cpe:/o:redhat:enterprise_linux:5", "package": "libxml2-0:2.6.26-2.1.2.4", "product_name": "Red Hat Enterprise Linux 5", "release_date": "2008-08-21T00:00:00Z"}], "bugzilla": {"description": "libxml2 denial of service", "id": "458086", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=458086"}, "csaw": false, "details": ["libxml2 2.6.32 and earlier does not properly detect recursion during entity expansion in an attribute value, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document."], "name": "CVE-2008-3281", "public_date": "2008-08-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2008-3281\nhttps://nvd.nist.gov/vuln/detail/CVE-2008-3281"], "threat_severity": "Moderate"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object