CVE-2017-7375

Published: Feb 19, 2018Modified: Dec 3, 2025

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable).

Affected (14)

Products: Xmlsoft: Libxml2 · Debian: Debian Linux · Google: Android

1 product

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Xmlsoft Libxml2	Up to 2.9.4

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 7.0
Debian Debian Linux	Version 8.0
Debian Debian Linux	Version 9.0

Configuration C

8 vulnerable

Vulnerable Software	Affected Versions
Google Android	Version 4.4.4
Google Android	Version 5.0.2
Google Android	Version 5.1.1
Google Android	Version 6.0.1
Google Android	Version 6.0
Google Android	Version 7.0
Google Android	Version 7.1.1
Google Android	Version 7.1.2

Configuration D

2 vulnerable

Vulnerable Software	Affected Versions
Xmlsoft Libxml2	Version 2.9.4 rc1
Xmlsoft Libxml2	Version 2.9.4 rc2

Related CWEs

Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References (16)

http://www.securityfocus.com/bid/98877

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1038623

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://android.googlesource.com/platform/external/libxml2/+/308396a55280f69ad4112d4f9892f4cbeff042aa

Source: cve@mitre.org

PatchThird Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1462203

Source: cve@mitre.org

Issue TrackingPatchThird Party Advisory

https://git.gnome.org/browse/libxml2/commit/?id=90ccb58242866b0ba3edbef8fe44214a101c2b3e

Source: cve@mitre.org

PatchThird Party Advisory

https://security.gentoo.org/glsa/201711-01

Source: cve@mitre.org

Third Party Advisory

https://source.android.com/security/bulletin/2017-06-01

Source: cve@mitre.org

PatchThird Party Advisory

https://www.debian.org/security/2017/dsa-3952

Source: cve@mitre.org

Third Party Advisory

http://www.securityfocus.com/bid/98877

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1038623

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://android.googlesource.com/platform/external/libxml2/+/308396a55280f69ad4112d4f9892f4cbeff042aa

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1462203

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchThird Party Advisory

https://git.gnome.org/browse/libxml2/commit/?id=90ccb58242866b0ba3edbef8fe44214a101c2b3e

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://security.gentoo.org/glsa/201711-01

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://source.android.com/security/bulletin/2017-06-01

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://www.debian.org/security/2017/dsa-3952

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.