Vulnerability Details : CVE-2017-7375
A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable).
Vulnerability category: XML external entity (XXE) injection
Products affected by CVE-2017-7375
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:5.1.1:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:6.0.1:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:4.4.4:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:5.0.2:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:7.1.2:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:7.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*
- cpe:2.3:a:xmlsoft:libxml2:2.9.4:rc2:*:*:*:*:*:*
- cpe:2.3:a:xmlsoft:libxml2:2.9.4:rc1:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-7375
0.53%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 77 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-7375
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2017-7375
-
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-7375
-
https://android.googlesource.com/platform/external/libxml2/+/308396a55280f69ad4112d4f9892f4cbeff042aa
308396a55280f69ad4112d4f9892f4cbeff042aa - platform/external/libxml2 - Git at GooglePatch;Third Party Advisory
-
https://git.gnome.org/browse/libxml2/commit/?id=90ccb58242866b0ba3edbef8fe44214a101c2b3e
Prevent unwanted external entity reference (90ccb582) · Commits · GNOME / libxml2 · GitLabPatch;Third Party Advisory
-
https://www.debian.org/security/2017/dsa-3952
Debian -- Security Information -- DSA-3952-1 libxml2Third Party Advisory
-
https://source.android.com/security/bulletin/2017-06-01
Android Security Bulletin—June 2017 | Android Open Source ProjectPatch;Third Party Advisory
-
http://www.securityfocus.com/bid/98877
Google Android Libraries Multiple Remote Code Execution VulnerabilitiesThird Party Advisory;VDB Entry
-
http://www.securitytracker.com/id/1038623
Google Android Multiple Flaws Let Remote Users Deny Service, Obtain Potentially Sensitive Information, and Execute Arbitrary Code and Let Local Apps Gain Elevated Privileges - SecurityTrackerThird Party Advisory;VDB Entry
-
https://security.gentoo.org/glsa/201711-01
libxml2: Multiple vulnerabilities (GLSA 201711-01) — Gentoo securityThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1462203
1462203 – (CVE-2017-7375) CVE-2017-7375 libxml2: Missing validation for external entities in xmlParsePEReferenceIssue Tracking;Patch;Third Party Advisory
Jump to