CVE-2022-25235

Published: Feb 16, 2022Modified: May 5, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.

Affected (9)

Products: Libexpat Project: Libexpat · Debian: Debian Linux · Fedoraproject: Fedora · +2 more

Show all products

Libexpat Project: Libexpat · Debian: Debian Linux · Fedoraproject: Fedora · Oracle: Http Server, Zfs Storage Appliance Kit · Siemens: Sinema Remote Connect Server

1 product

1 product

1 product

2 products

Zfs Storage Appliance Kit

Siemens

1 product

Sinema Remote Connect Server

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Libexpat Project Libexpat	Before 2.4.5

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 11.0

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 34
Fedoraproject Fedora	Version 35

Configuration D

3 vulnerable

Vulnerable Software	Affected Versions
Oracle Http Server	Version 12.2.1.3.0
Oracle Http Server	Version 12.2.1.4.0
Oracle Zfs Storage Appliance Kit	Version 8.8

Configuration E

1 vulnerable

Vulnerable Software	Affected Versions
Siemens Sinema Remote Connect Server	Before 3.1

Related CWEs

CWE-116

Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

References (20)

http://www.openwall.com/lists/oss-security/2022/02/19/1

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf

Source: cve@mitre.org

Third Party Advisory

https://github.com/libexpat/libexpat/pull/562

Source: cve@mitre.org

PatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/03/msg00007.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM/

Source: cve@mitre.org

https://security.gentoo.org/glsa/202209-24

Source: cve@mitre.org

Third Party Advisory

https://security.netapp.com/advisory/ntap-20220303-0008/

Source: cve@mitre.org

Third Party Advisory

https://www.debian.org/security/2022/dsa-5085

Source: cve@mitre.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

Source: cve@mitre.org

PatchThird Party Advisory

http://www.openwall.com/lists/oss-security/2022/02/19/1