Vulnerability Details : CVE-2009-3560
The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c, a different vulnerability than CVE-2009-2625 and CVE-2009-3720.
Vulnerability category: OverflowDenial of service
Products affected by CVE-2009-3560
- cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:libexpat_project:libexpat:2.0.1:*:*:*:*:*:*:*When used together with: Xmltwig » Xml-twig For Perl
Exploit prediction scoring system (EPSS) score for CVE-2009-3560
1.15%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 85 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2009-3560
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2009-3560
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2009-3560
-
https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f@%3Ccvs.httpd.apache.org%3E
svn commit: r1075470 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_2Mailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b@%3Ccvs.httpd.apache.org%3E
svn commit: r1073140 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html sMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2010:013Third Party Advisory;VDB Entry
-
http://www.debian.org/security/2009/dsa-1953
Debian -- Security Information -- DSA-1953-1 expatThird Party Advisory
-
https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53@%3Ccvs.httpd.apache.org%3E
svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_Mailing List;Third Party Advisory
-
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00394.html
[SECURITY] Fedora 11 Update: expat-2.0.1-8.fc11Mailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064@%3Ccvs.httpd.apache.org%3E
svn commit: r1073146 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.htmlMailing List;Third Party Advisory
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12942
404 Not FoundBroken Link
-
https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142@%3Ccvs.httpd.apache.org%3E
svn commit: r1073143 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/ - Pony MailMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00002.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2010:012Third Party Advisory;VDB Entry
-
http://www.vupen.com/english/advisories/2010/0528
Webmail: access your OVH emails on ovhcloud.com | OVHcloudBroken Link
-
https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b@%3Ccvs.httpd.apache.org%3E
svn commit: r1073140 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html sMailing List;Third Party Advisory
-
http://www.vupen.com/english/advisories/2010/1107
Webmail | OVH- OVHBroken Link
-
http://marc.info/?l=bugtraq&m=130168502603566&w=2
'[security bulletin] HPSBUX02645 SSRT100387 rev.1 - HP-UX Apache Web Server, Remote Information Discl' - MARCMailing List;Third Party Advisory
-
http://secunia.com/advisories/43300
About Secunia Research | FlexeraBroken Link
-
http://lists.vmware.com/pipermail/security-announce/2010/000082.html
502 Bad GatewayBroken Link
-
http://www.ubuntu.com/usn/USN-890-6
USN-890-6: CMake vulnerabilities | Ubuntu security notices | UbuntuThird Party Advisory
-
https://lists.apache.org/thread.html/rad2acee3ab838b52c04a0698b1728a9a43467bf365bd481c993c535d@%3Ccvs.httpd.apache.org%3E
svn commit: r1073149 [7/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/ - Pony MailMailing List;Third Party Advisory
-
http://www.ubuntu.com/usn/USN-890-1
USN-890-1: Expat vulnerabilities | Ubuntu security notices | UbuntuThird Party Advisory;VDB Entry
-
http://secunia.com/advisories/38231
About Secunia Research | FlexeraBroken Link
-
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00413.html
[SECURITY] Fedora 12 Update: expat-2.0.1-8.fc12Mailing List;Third Party Advisory
-
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?view=log#rev1.165
CVS Info for project expatBroken Link
-
http://secunia.com/advisories/38794
About Secunia Research | FlexeraBroken Link
-
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E
svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/ - Pony MailMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00007.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2010:001Third Party Advisory
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10613
404 Not FoundBroken Link
-
https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79@%3Ccvs.httpd.apache.org%3E
svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_Mailing List;Third Party Advisory
-
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.165
CVS Info for project expatPermissions Required
-
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00370.html
[SECURITY] Fedora 10 Update: expat-2.0.1-8.fc10Mailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E
Pony Mail!Mailing List;Third Party Advisory
-
http://mail.python.org/pipermail/expat-bugs/2009-November/002846.html
[Expat-bugs] [ expat-Bugs-2894085 ] expat: buffer over-read and crash in big2_toUtf8()Exploit
-
http://secunia.com/advisories/38832
About Secunia Research | FlexeraBroken Link
-
https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb@%3Ccvs.httpd.apache.org%3E
svn commit: r1058587 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_Mailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/rb9c9f42dafa25d2f669dac2a536a03f2575bc5ec1be6f480618aee10@%3Ccvs.httpd.apache.org%3E
svn commit: r1075467 [1/2] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_2Mailing List;Third Party Advisory
-
http://secunia.com/advisories/38834
About Secunia Research | FlexeraBroken Link
-
http://www.vupen.com/english/advisories/2010/0896
Webmail: access your OVH emails on ovhcloud.com | OVHcloudBroken Link
-
http://www.vupen.com/english/advisories/2011/0359
Webmail: access your OVH emails on ovhcloud.com | OVHcloudBroken Link
-
https://lists.apache.org/thread.html/r2295080a257bad27ea68ca0af12fc715577f9e84801eae116a33107e@%3Ccvs.httpd.apache.org%3E
svn commit: r1073139 [6/13] - in /websites/staging/httpd/trunk/content: ./ security/json/ - Pony MailMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac@%3Ccvs.httpd.apache.org%3E
svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_Mailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/reb7c64aeea604bf948467d9d1cab8ff23fa7d002be1964bcc275aae7@%3Ccvs.httpd.apache.org%3E
svn commit: r1888194 [6/13] - /httpd/site/trunk/content/security/json/ - Pony MailMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/r5f9c22f9c28adbd9f00556059edc7b03a5d5bb71d4bb80257c0d34e4@%3Ccvs.httpd.apache.org%3E
svn commit: r1075360 [1/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_2Mailing List;Third Party Advisory
-
http://secunia.com/advisories/39478
About Secunia Research | FlexeraBroken Link
-
https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7@%3Ccvs.httpd.apache.org%3E
Pony Mail!Mailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc@%3Ccvs.httpd.apache.org%3E
svn commit: r1058586 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_Mailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2010:014Third Party Advisory;VDB Entry
-
http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2010:011Third Party Advisory;VDB Entry
-
http://slackware.com/security/viewer.php?l=slackware-security&y=2011&m=slackware-security.486026
The Slackware Linux Project: Slackware Security AdvisoriesMailing List;Third Party Advisory
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6883
404 Not FoundBroken Link
-
http://www.securityfocus.com/bid/37203
Third Party Advisory;VDB Entry
-
http://www.mandriva.com/security/advisories?name=MDVSA-2009:316
MandrivaBroken Link
-
http://www.redhat.com/support/errata/RHSA-2011-0896.html
SupportBroken Link
-
http://sunsolve.sun.com/search/document.do?assetkey=1-66-273630-1
Mailing List;Third Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=533174
533174 – (CVE-2009-3560) CVE-2009-3560 expat: buffer over-read and crash in big2_toUtf8() on XML with malformed UTF-8 sequencesIssue Tracking;Patch
-
http://secunia.com/advisories/41701
Sign inBroken Link
-
https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f@%3Ccvs.httpd.apache.org%3E
svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_Mailing List;Third Party Advisory
-
http://www.securitytracker.com/id?1023278
Third Party Advisory;VDB Entry
-
https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b@%3Ccvs.httpd.apache.org%3E
svn commit: r1058587 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_Mailing List;Third Party Advisory
-
http://secunia.com/advisories/37537
About Secunia Research | FlexeraBroken Link
Jump to