Vulnerability Details : CVE-2009-3627
The decode_entities function in util.c in HTML-Parser before 3.63 allows context-dependent attackers to cause a denial of service (infinite loop) via an incomplete SGML numeric character reference, which triggers generation of an invalid UTF-8 character.
Vulnerability category: Input validationDenial of service
Products affected by CVE-2009-3627
- cpe:2.3:a:derrick_oswald:html-parser:*:*:*:*:*:*:*:*
- cpe:2.3:a:derrick_oswald:html-parser:1.2:*:*:*:*:*:*:*
- cpe:2.3:a:derrick_oswald:html-parser:1.3:*:*:*:*:*:*:*
- cpe:2.3:a:derrick_oswald:html-parser:1.00:*:*:*:*:*:*:*
- cpe:2.3:a:derrick_oswald:html-parser:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:derrick_oswald:html-parser:1.6:*:*:*:*:*:*:*
- cpe:2.3:a:derrick_oswald:html-parser:1.42:*:*:*:*:*:*:*
- cpe:2.3:a:derrick_oswald:html-parser:1.5:*:*:*:*:*:*:*
- cpe:2.3:a:derrick_oswald:html-parser:1.4:*:*:*:*:*:*:*
- cpe:2.3:a:derrick_oswald:html-parser:1.41:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2009-3627
0.24%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 61 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2009-3627
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:N/A:P |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2009-3627
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
Vendor statements for CVE-2009-3627
-
Red Hat 2009-11-19This issue does not affect Red Hat Enterprise Linux 3, 4, or 5. This flaw can only lead to a denial of service if perl-HTML-Parser is used in conjunction with perl 5.10.1. If perl-HTML-Parser is used with earlier versions of perl, this flaw does not lead to a denial of service.
References for CVE-2009-3627
-
http://www.securityfocus.com/bid/36807
Patch
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/53941
HTML-Parser decode_entities() denial of service CVE-2009-3627 Vulnerability Report
-
http://www.openwall.com/lists/oss-security/2009/10/23/9
oss-security - CVE-2009-3627 assignment notification - HTML-Parser-3.63Patch
-
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6225
6225 – Invalid numerical HTML entity crashes perlPatch
-
https://bugzilla.redhat.com/show_bug.cgi?id=530604
530604 – (CVE-2009-3627) CVE-2009-3627 perl-HTML-Parser: Production of invalid (wide) character(s) while parsing HTML entity(ies) with invalid UTF-8 character(s)
-
http://github.com/gisle/html-parser/commit/b9aae1e43eb2c8e989510187cff0ba3e996f9a4c
decode_entities confused by trailing incomplete entity · gisle/html-parser@b9aae1e · GitHub
-
http://www.vupen.com/english/advisories/2009/3022
Site en constructionPatch;Vendor Advisory
Jump to