Vulnerability Details : CVE-2015-8035
The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data.
Vulnerability category: Denial of service
Products affected by CVE-2015-8035
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
- cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
- cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
- cpe:2.3:a:xmlsoft:libxml2:2.9.1:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-8035
0.97%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 81 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-8035
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.6
|
LOW | AV:N/AC:H/Au:N/C:N/I:N/A:P |
4.9
|
2.9
|
NIST |
CWE ids for CVE-2015-8035
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-8035
-
https://support.apple.com/HT206169
About the security content of tvOS 9.2 - Apple Support
-
http://xmlsoft.org/news.html
ReleasesVendor Advisory
-
http://www.openwall.com/lists/oss-security/2015/11/02/4
oss-security - Re: CVE request: DoS in libxml2 if xz is enabled
-
https://support.apple.com/HT206168
About the security content of watchOS 2.2 - Apple Support
-
http://www.debian.org/security/2015/dsa-3430
Debian -- Security Information -- DSA-3430-1 libxml2
-
http://lists.apple.com/archives/security-announce/2016/Mar/msg00000.html
Apple - Lists.apple.com
-
https://bugzilla.gnome.org/show_bug.cgi?id=757466
Bug 757466 – DoS in libxml2 if xz is enabledExploit
-
https://security.gentoo.org/glsa/201701-37
libxml2: Multiple vulnerabilities (GLSA 201701-37) — Gentoo security
-
https://support.apple.com/HT206166
About the security content of iOS 9.3 - Apple Support
-
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05111017
HPSBMU03593 rev.2 - HPE System Management Homepage (SMH), Remote Code Execution, Denial of Service (DoS), Disclosure of Sensitive Information
-
http://www.openwall.com/lists/oss-security/2015/11/03/1
oss-security - Re: CVE request: DoS in libxml2 if xz is enabled
-
https://support.apple.com/HT206167
About the security content of OS X El Capitan v10.11.4 and Security Update 2016-002 - Apple Support
-
http://www.openwall.com/lists/oss-security/2015/11/02/2
oss-security - CVE request: DoS in libxml2 if xz is enabled
-
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177381.html
[SECURITY] Fedora 22 Update: mingw-libxml2-2.9.3-1.fc22
-
http://www.securitytracker.com/id/1034243
Libxml2 Multiple Flaws Let Remote Users Deny Service and Cause Other Unspecified Impacts - SecurityTracker
-
http://lists.opensuse.org/opensuse-updates/2015-12/msg00120.html
openSUSE-SU-2015:2372-1: moderate: Security update for libxml2
-
http://lists.apple.com/archives/security-announce/2016/Mar/msg00001.html
Apple - Lists.apple.com
-
http://lists.apple.com/archives/security-announce/2016/Mar/msg00004.html
Apple - Lists.apple.com
-
http://lists.opensuse.org/opensuse-updates/2016-01/msg00031.html
openSUSE-SU-2016:0106-1: moderate: Security update for libxml2
-
http://lists.apple.com/archives/security-announce/2016/Mar/msg00002.html
Apple - Lists.apple.com
-
http://rhn.redhat.com/errata/RHSA-2016-1089.html
Red Hat Customer Portal
-
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158380
HPSBMU03612 rev.2 - HPE Insight Control on Windows and Linux, Multiple Remote Vulnerabilities
-
http://www.ubuntu.com/usn/USN-2812-1
USN-2812-1: libxml2 vulnerabilities | Ubuntu security notices
-
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177341.html
[SECURITY] Fedora 23 Update: mingw-libxml2-2.9.3-1.fc23
-
http://www.securityfocus.com/bid/77390
Libxml2 'parser.c' Denial of Service Vulnerability
Jump to