CVE-2008-3281

libxml2 2.6.32 and earlier does not properly detect recursion during entity expansion in an attribute value, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document.

Published: Aug 27, 2008
Updated: May 9, 2024
CVE: CVE-2008-3281
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:N/A:P

CWEs:

OWASP TOP 10:

A4 - XML External Entities (XXE)

Affected Software
References

Software	From	Fixed in
xmlsoft / libxml2	-	2.6.32.x
apple / safari	-	4.0
apple / iphone_os	1.0.0	3.0
fedoraproject / fedora	9	9.x
canonical / ubuntu_linux	7.04	7.04.x
canonical / ubuntu_linux	7.10	7.10.x
canonical / ubuntu_linux	8.04	8.04.x
canonical / ubuntu_linux	6.06	6.06.x
debian / debian_linux	4.0	4.0.x
redhat / enterprise_linux_server	5.0	5.0.x
redhat / enterprise_linux_desktop	3.0	3.0.x
redhat / enterprise_linux_workstation	5.0	5.0.x
redhat / enterprise_linux_desktop	4.0	4.0.x
redhat / enterprise_linux_desktop	5.0	5.0.x
redhat / enterprise_linux_eus	4.7	4.7.x
redhat / enterprise_linux_server	4.0	4.0.x
redhat / enterprise_linux_workstation	4.0	4.0.x
redhat / enterprise_linux_workstation	3.0	3.0.x
redhat / enterprise_linux_server	3.0	3.0.x
redhat / enterprise_linux_eus	5.2	5.2.x
redhat / enterprise_linux_server	2.0	2.0.x
redhat / enterprise_linux_workstation	2.0	2.0.x
vmware / esx	2.5.4	2.5.4.x
vmware / esx	3.0.2	3.0.2.x
vmware / esx	2.5.5	2.5.5.x
vmware / esx	3.0.3	3.0.3.x

Vulnerability Database

289,599

CVE-2008-3281