CVE-2011-1756 : modules/xmpp/serv_xmpp.c in Citadel 7.86 and earlier does not properly detect re

modules/xmpp/serv_xmpp.c in Citadel 7.86 and earlier does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

Published 2011-06-21 02:52:44

Updated 2025-04-11 00:51:22

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2011-1756

Citadel » Citadel
Versions up to, including, (<=) 7.86
cpe:2.3:a:citadel:citadel:*:*:*:*:*:*:*:*
Matching versions
Citadel » Citadel » Version: 7.80
cpe:2.3:a:citadel:citadel:7.80:*:*:*:*:*:*:*
Matching versions
Citadel » Citadel » Version: 7.81
cpe:2.3:a:citadel:citadel:7.81:*:*:*:*:*:*:*
Matching versions
Citadel » Citadel » Version: 7.82
cpe:2.3:a:citadel:citadel:7.82:*:*:*:*:*:*:*
Matching versions
Citadel » Citadel » Version: 7.84
cpe:2.3:a:citadel:citadel:7.84:*:*:*:*:*:*:*
Matching versions
Citadel » Citadel » Version: 7.50
cpe:2.3:a:citadel:citadel:7.50:*:*:*:*:*:*:*
Matching versions
Citadel » Citadel » Version: 7.60
cpe:2.3:a:citadel:citadel:7.60:*:*:*:*:*:*:*
Matching versions
Citadel » Citadel » Version: 7.11
cpe:2.3:a:citadel:citadel:7.11:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2011-1756

Top countries where our scanners detected CVE-2011-1756

Top open port discovered on systems with this issue 2020

IPs affected by CVE-2011-1756 45

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2011-1756!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2011-1756

EPSS FAQ

1.46%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 79 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2011-1756

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:N/A:P	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial

CWE ids for CVE-2011-1756

CWE-399

Assigned by: nvd@nist.gov (Primary)

References for CVE-2011-1756

http://packages.debian.org/changelogs/pool/main/c/citadel/citadel_7.37-8+lenny1/changelog

404 Not Found
http://code.citadel.org/cgit.cgi/git.citadel.org/commit/?id=95040add546a705cc2d1d8f16293141f9f9845a6

404 Not Found
Patch
http://code.citadel.org/cgit.cgi/git.citadel.org/commit/?id=27c991cc2059f5530d3d4e9689dc976b745f5b0c

404 Not Found
Patch
http://www.debian.org/security/2011/dsa-2250

Debian -- Security Information -- DSA-2250-1 citadel
http://www.securityfocus.com/bid/48071

Citadel XML Parsing Denial of Service Vulnerability
http://secunia.com/advisories/44788

Sign in
Vendor Advisory
http://packages.debian.org/changelogs/pool/main/c/citadel/citadel_7.83-2squeeze2/changelog

404 Not Found
http://security.debian.org/debian-security/pool/updates/main/c/citadel/citadel_7.83-2squeeze2.diff.gz

404 Not Found
Patch