CVE-2017-9049 : libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-re

libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398.

Published 2017-05-18 06:29:00

Updated 2021-06-29 15:15:14

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2017-9049

Xmlsoft » Libxml2 » Version: 2.9.4
cpe:2.3:a:xmlsoft:libxml2:2.9.4:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2017-9049

EPSS FAQ

0.32%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 52 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2017-9049

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:N/A:P	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
7.5	HIGH	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2017-9049

CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2017-9049

https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E

CVEs referencing this url
http://www.debian.org/security/2017/dsa-3952

Debian -- Security Information -- DSA-3952-1 libxml2

CVEs referencing this url
http://www.securityfocus.com/bid/98601

libxml2 CVE-2017-9049 Heap Buffer Overflow Vulnerability
Third Party Advisory;VDB Entry
http://www.openwall.com/lists/oss-security/2017/05/15/1

oss-security - Invalid writes and reads in libxml2
Exploit;Mailing List;Patch;Third Party Advisory

CVEs referencing this url
https://security.gentoo.org/glsa/201711-01

libxml2: Multiple vulnerabilities (GLSA 201711-01) — Gentoo security

CVEs referencing this url
https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E

[GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8 - Pony Mail

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2017-9049

Products affected by CVE-2017-9049

Exploit prediction scoring system (EPSS) score for CVE-2017-9049

CVSS scores for CVE-2017-9049

CWE ids for CVE-2017-9049

References for CVE-2017-9049