CVE-2003-1564
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
31/12/2003
Last modified:
03/04/2025
Description
libxml2, possibly before 2.5.0, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, aka the "billion laughs attack."
Impact
Base Score 3.x
6.50
Severity 3.x
MEDIUM
Base Score 2.0
9.30
Severity 2.0
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:* | 2.5.0 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://mail.gnome.org/archives/xml/2008-August/msg00034.html
- http://secunia.com/advisories/31868
- http://www.reddit.com/r/programming/comments/65843/time_to_upgrade_libxml2
- http://www.redhat.com/support/errata/RHSA-2008-0886.html
- http://www.stylusstudio.com/xmldev/200302/post20020.html
- http://xmlsoft.org/news.html
- http://mail.gnome.org/archives/xml/2008-August/msg00034.html
- http://secunia.com/advisories/31868
- http://www.reddit.com/r/programming/comments/65843/time_to_upgrade_libxml2
- http://www.redhat.com/support/errata/RHSA-2008-0886.html
- http://www.stylusstudio.com/xmldev/200302/post20020.html
- http://xmlsoft.org/news.html