CVE-2017-5130 : An integer overflow in xmlmemory.c in libxml2 before 2.9.5, as used in Google Chrome prior to 62.0.3202.62 and other pro

An integer overflow in xmlmemory.c in libxml2 before 2.9.5, as used in Google Chrome prior to 62.0.3202.62 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted XML file.

Published 2018-02-07 23:29:01

Updated 2022-04-08 23:15:08

Source Chrome

View at NVD, CVE.org

Vulnerability category: OverflowMemory Corruption

Exploit prediction scoring system (EPSS) score for CVE-2017-5130

Probability of exploitation activity in the next 30 days: 0.70%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 78 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2017-5130

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
8.8	HIGH	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2017-5130

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2017-5130

https://git.gnome.org/browse/libxml2/commit/?id=897dffbae322b46b83f99a607d527058a72c51ed

Check for integer overflow in memory debug code (897dffba) · Commits · GNOME / libxml2 · GitLab
Third Party Advisory
https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop.html

Chrome Releases: Stable Channel Update for Desktop
Vendor Advisory

CVEs referencing this url
http://www.securityfocus.com/bid/101482

Google Chrome Prior to 62.0.3202.62 Multiple Security Vulnerabilities
Third Party Advisory;VDB Entry

CVEs referencing this url
http://bugzilla.gnome.org/show_bug.cgi?id=783026

Access Denied
Issue Tracking
https://www.oracle.com/security-alerts/cpuapr2020.html

Oracle Critical Patch Update Advisory - April 2020

CVEs referencing this url
https://crbug.com/722079

722079 - libxml2 - Heap Overflow in xmlMemStrdupLoc - chromium - Monorail
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html

[SECURITY] [DLA 2972-1] libxml2 security update

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20190719-0001/

April 2018 Libxml2 Vulnerabilities in NetApp Products | NetApp Product Security

CVEs referencing this url
https://security.gentoo.org/glsa/201710-24

Chromium, Google Chrome: Multiple vulnerabilities (GLSA 201710-24) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2017:2997

RHSA-2017:2997 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2017/11/msg00034.html

[SECURITY] [DLA 1188-1] libxml2 security update
Third Party Advisory

Products affected by CVE-2017-5130

Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Google » Chrome
Versions before (<) 62.0.3202.62
cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
Matching versions
Xmlsoft » Libxml2
Versions before (<) 2.9.5
cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2017-5130

Exploit prediction scoring system (EPSS) score for CVE-2017-5130

CVSS scores for CVE-2017-5130

CWE ids for CVE-2017-5130

References for CVE-2017-5130

Products affected by CVE-2017-5130