CVE-2020-24977 : GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xml

GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in commit 50f06b3e.

Published 2020-09-04 00:15:11

Updated 2022-07-25 18:15:20

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2020-24977

Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Oracle » Http Server » Version: 12.2.1.3.0
cpe:2.3:a:oracle:http_server:12.2.1.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Http Server » Version: 12.2.1.4.0
cpe:2.3:a:oracle:http_server:12.2.1.4.0:*:*:*:*:*:*:*
Matching versions
Oracle » Peoplesoft Enterprise Peopletools » Version: 8.58
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
Matching versions
Oracle » Enterprise Manager Ops Center » Version: 12.4.0.0
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
Matching versions
Oracle » Enterprise Manager Base Platform » Version: 13.4.0.0
cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*
Matching versions
Oracle » Enterprise Manager Base Platform » Version: 13.5.0.0
cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql Workbench
Versions up to, including, (<=) 8.0.26
cpe:2.3:a:oracle:mysql_workbench:*:*:*:*:*:*:*:*
Matching versions
Oracle » Real User Experience Insight » Version: 13.4.1.0
cpe:2.3:a:oracle:real_user_experience_insight:13.4.1.0:*:*:*:*:*:*:*
Matching versions
Oracle » Real User Experience Insight » Version: 13.5.1.0
cpe:2.3:a:oracle:real_user_experience_insight:13.5.1.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Network Function Cloud Native Environment » Version: 1.10.0
cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*
Matching versions
Xmlsoft » Libxml2 » Version: 2.9.10
cpe:2.3:a:xmlsoft:libxml2:2.9.10:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 31
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 32
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 33
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
Matching versions
Opensuse » Leap » Version: 15.1
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
Matching versions
Opensuse » Leap » Version: 15.2
cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*
Matching versions
Netapp » Clustered Data Ontap » Version: N/A
cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*
Matching versions
Netapp » Snapdrive » Version: N/A For Unix
cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:unix:*:*
Matching versions
Netapp » Snapdrive » Version: N/A For Windows
cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:windows:*:*
Matching versions
Netapp » Clustered Data Ontap Antivirus Connector » Version: N/A
cpe:2.3:a:netapp:clustered_data_ontap_antivirus_connector:-:*:*:*:*:*:*:*
Matching versions
Netapp » Active Iq Unified Manager » For Windows
Versions from including (>=) 7.3
cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:windows:*:*
Matching versions
Netapp » Active Iq Unified Manager » For Vmware Vsphere
Versions from including (>=) 9.5
cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:vmware_vsphere:*:*
Matching versions
Netapp » Manageability Software Development Kit » Version: N/A
cpe:2.3:a:netapp:manageability_software_development_kit:-:*:*:*:*:*:*:*
Matching versions
Netapp » Inventory Collect Tool » Version: N/A
cpe:2.3:a:netapp:inventory_collect_tool:-:*:*:*:*:*:*:*
Matching versions
Netapp » Hci H410c Firmware » Version: N/A
cpe:2.3:o:netapp:hci_h410c_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » Hci H410c » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2020-24977

EPSS FAQ

0.48%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 62 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-24977

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.4	MEDIUM	AV:N/AC:L/Au:N/C:P/I:N/A:P	10.0	4.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: Partial
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L	3.9	2.5	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: Low

CWE ids for CVE-2020-24977

CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-24977

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00061.html

[security-announce] openSUSE-SU-2020:1465-1: moderate: Security update f
Mailing List;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H3IQ7OQXBKWD3YP7HO6KCNOMLE5ZO2IR/

[SECURITY] Fedora 31 Update: mingw-libxml2-2.9.10-3.fc31 - package-announce - Fedora Mailing-Lists
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/674LQPJO2P2XTBTREFR5LOZMBTZ4PZAY/

[SECURITY] Fedora 32 Update: libxml2-2.9.10-8.fc32 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html

Oracle Critical Patch Update Advisory - April 2022
Patch;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J3ICASXZI2UQYFJAOQWHSTNWGED3VXOE/

[SECURITY] Fedora 31 Update: libxml2-2.9.10-4.fc31 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ENEHQIBMSI6TZVS35Y6I4FCTYUQDLJVP/

[SECURITY] Fedora 33 Update: libxml2-2.9.10-8.fc33 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7KQXOHIE3MNY3VQXEN7LDQUJNIHOVHAW/

[SECURITY] Fedora 33 Update: mingw-libxml2-2.9.10-3.fc33 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7MEWYKIKMV2SKMGH4IDWVU3ZGJXBCPQ/

[SECURITY] Fedora 32 Update: mingw-libxml2-2.9.10-3.fc32 - package-announce - Fedora Mailing-Lists
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RIQAMBA2IJUTQG5VOP5LZVIZRNCKXHEQ/

[SECURITY] Fedora 32 Update: mingw-libxml2-2.9.10-8.fc32 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://security.gentoo.org/glsa/202107-05

libxml2: Multiple vulnerabilities (GLSA 202107-05) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2NQ5GTDYOVH26PBCPYXXMGW5ZZXWMGZC/

[SECURITY] Fedora 32 Update: libxml2-2.9.10-7.fc32 - package-announce - Fedora Mailing-Lists
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00036.html

[security-announce] openSUSE-SU-2020:1430-1: moderate: Security update f
Mailing List;Third Party Advisory
https://gitlab.gnome.org/GNOME/libxml2/-/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2

Fix out-of-bounds read with 'xmllint --htmlout' (50f06b3e) · Commits · GNOME / libxml2 · GitLab
Patch;Vendor Advisory
https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html

[SECURITY] [DLA 2369-1] libxml2 security update
Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCHXIWR5DHYO3RSO7RAHEC6VJKXD2EH2/

[SECURITY] Fedora 33 Update: libxml2-2.9.10-7.fc33 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E

[jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar - Pony Mail
Mailing List;Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpuoct2021.html

Oracle Critical Patch Update Advisory - October 2021
Patch;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5KTUAGDLEHTH6HU66HBFAFTSQ3OKRAN3/

[SECURITY] Fedora 33 Update: mingw-libxml2-2.9.10-8.fc33 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://security.netapp.com/advisory/ntap-20200924-0001/

CVE-2020-24977 Libxml2 Vulnerability in NetApp Products | NetApp Product Security
Third Party Advisory
https://gitlab.gnome.org/GNOME/libxml2/-/issues/178

xmllint: global-buffer-overflow in xmlEncodeEntitiesInternal (#178) · Issues · GNOME / libxml2 · GitLab
Exploit;Issue Tracking;Patch;Vendor Advisory
https://www.oracle.com/security-alerts/cpujul2022.html

Oracle Critical Patch Update Advisory - July 2022

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2020-24977

Products affected by CVE-2020-24977

Exploit prediction scoring system (EPSS) score for CVE-2020-24977

CVSS scores for CVE-2020-24977

CWE ids for CVE-2020-24977

References for CVE-2020-24977