libxml2 2.6.32 and earlier does not properly detect recursion during entity expansion in an attribute value, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00802.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Apple
  • Iphone Os
  • Safari
Canonical
  • Ubuntu Linux
Debian
  • Debian Linux
Fedoraproject
  • Fedora
Redhat
  • Enterprise Linux
  • Enterprise Linux Desktop
  • Enterprise Linux Eus
  • Enterprise Linux Server
  • Enterprise Linux Workstation
Vmware
  • Esx
Xmlsoft
  • Libxml2

Configuration 1 [-]

cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:o:fedoraproject:fedora:9:*:*:*:*:*:*:*

Configuration 4 [-]

OR cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:7.04:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:7.10:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:*:*:*:*

Configuration 5 [-]

cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*

Configuration 6 [-]

OR cpe:2.3:o:redhat:enterprise_linux_desktop:3.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:4.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:4.7:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:5.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:2.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:3.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:4.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:2.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:3.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:4.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:*

Configuration 7 [-]

OR cpe:2.3:o:vmware:esx:2.5.4:*:*:*:*:*:*:*
cpe:2.3:o:vmware:esx:2.5.5:*:*:*:*:*:*:*
cpe:2.3:o:vmware:esx:3.0.2:*:*:*:*:*:*:*
cpe:2.3:o:vmware:esx:3.0.3:*:*:*:*:*:*:*
Package CPE Advisory Released Date
Red Hat Enterprise Linux 2.1
libxml2-0:2.4.19-9.ent cpe:/o:redhat:enterprise_linux:2.1 RHSA-2008:0836 2008-08-21T00:00:00Z
Red Hat Enterprise Linux 3
libxml2-0:2.5.10-11 cpe:/o:redhat:enterprise_linux:3 RHSA-2008:0836 2008-08-21T00:00:00Z
Red Hat Enterprise Linux 4
libxml2-0:2.6.16-12.3 cpe:/o:redhat:enterprise_linux:4 RHSA-2008:0836 2008-08-21T00:00:00Z
Red Hat Enterprise Linux 5
libxml2-0:2.6.26-2.1.2.4 cpe:/o:redhat:enterprise_linux:5 RHSA-2008:0836 2008-08-21T00:00:00Z

No data.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-1631-1 New libxml2 packages fix denial of service
Ubuntu USN Ubuntu USN USN-640-1 libxml2 vulnerability
Ubuntu USN Ubuntu USN USN-644-1 libxml2 vulnerabilities
Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
http://lists.apple.com/archives/security-announce/2009/Jun/msg00005.html cve-icon cve-icon
http://lists.apple.com/archives/security-announce/2009/jun/msg00002.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html cve-icon cve-icon
http://lists.vmware.com/pipermail/security-announce/2008/000039.html cve-icon cve-icon
http://mail.gnome.org/archives/xml/2008-August/msg00034.html cve-icon cve-icon
http://secunia.com/advisories/31558 cve-icon cve-icon
http://secunia.com/advisories/31566 cve-icon cve-icon
http://secunia.com/advisories/31590 cve-icon cve-icon
http://secunia.com/advisories/31728 cve-icon cve-icon
http://secunia.com/advisories/31748 cve-icon cve-icon
http://secunia.com/advisories/31855 cve-icon cve-icon
http://secunia.com/advisories/31982 cve-icon cve-icon
http://secunia.com/advisories/32488 cve-icon cve-icon
http://secunia.com/advisories/32807 cve-icon cve-icon
http://secunia.com/advisories/32974 cve-icon cve-icon
http://secunia.com/advisories/35379 cve-icon cve-icon
http://security.gentoo.org/glsa/glsa-200812-06.xml cve-icon cve-icon
http://support.apple.com/kb/HT3613 cve-icon cve-icon
http://support.apple.com/kb/HT3639 cve-icon cve-icon
http://svn.gnome.org/viewvc/libxml2?view=revision&revision=3772 cve-icon cve-icon
http://wiki.rpath.com/Advisories:rPSA-2008-0325 cve-icon cve-icon
http://www.debian.org/security/2008/dsa-1631 cve-icon cve-icon
http://www.mandriva.com/security/advisories?name=MDVSA-2008:180 cve-icon cve-icon
http://www.mandriva.com/security/advisories?name=MDVSA-2008:192 cve-icon cve-icon
http://www.securityfocus.com/archive/1/497962/100/0/threaded cve-icon cve-icon
http://www.securityfocus.com/bid/30783 cve-icon cve-icon
http://www.securitytracker.com/id?1020728 cve-icon cve-icon
http://www.ubuntu.com/usn/usn-640-1 cve-icon cve-icon
http://www.vmware.com/security/advisories/VMSA-2008-0017.html cve-icon cve-icon
http://www.vupen.com/english/advisories/2008/2419 cve-icon cve-icon
http://www.vupen.com/english/advisories/2008/2843 cve-icon cve-icon
http://www.vupen.com/english/advisories/2008/2971 cve-icon cve-icon
http://www.vupen.com/english/advisories/2009/1522 cve-icon cve-icon
http://www.vupen.com/english/advisories/2009/1621 cve-icon cve-icon
http://xmlsoft.org/news.html cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=458086 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2008-3281 cve-icon
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6496 cve-icon cve-icon
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9812 cve-icon cve-icon
https://rhn.redhat.com/errata/RHSA-2008-0836.html cve-icon cve-icon
https://usn.ubuntu.com/644-1/ cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2008-3281 cve-icon
https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00261.html cve-icon cve-icon
https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00347.html cve-icon cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2024-08-07T09:28:41.985Z

Reserved: 2008-07-24T00:00:00

Link: CVE-2008-3281

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2008-08-27T20:41:00.000

Modified: 2025-04-09T00:30:58.490

Link: CVE-2008-3281

cve-icon Redhat

Severity : Moderate

Publid Date: 2008-08-20T00:00:00Z

Links: CVE-2008-3281 - Bugzilla

cve-icon OpenCVE Enrichment

No data.