Vulnerability Details : CVE-2023-34411
The xml-rs crate before 0.8.14 for Rust and Crab allows a denial of service (panic) via an invalid <! token (such as <!DOCTYPEs/%<!A nesting) in an XML document. The earliest affected version is 0.8.9.
Vulnerability category: XML external entity (XXE) injectionDenial of service
Products affected by CVE-2023-34411
- cpe:2.3:a:xml_library_project:xml_library:*:*:*:*:*:rust:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-34411
0.14%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 51 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-34411
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2023-34411
-
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-34411
-
https://github.com/netvl/xml-rs/commit/c09549a187e62d39d40467f129e64abf32efc35c
Avoid panic when displaying unexpected token error · netvl/xml-rs@c09549a · GitHubPatch
-
https://github.com/netvl/xml-rs/pull/226
Avoid panic when displaying unexpected token error by 00xc · Pull Request #226 · netvl/xml-rs · GitHubExploit
-
https://github.com/netvl/xml-rs/compare/0.8.13...0.8.14
Comparing 0.8.13...0.8.14 · netvl/xml-rs · GitHubPatch
-
https://github.com/00xc/xml-rs/commit/0f084d45aa53e4a27476961785f59f2bd7d59a9f
Parse DOCTYPE markup declarations · 00xc/xml-rs@0f084d4 · GitHubPatch
Jump to