CVE-2022-25236

Published: Feb 16, 2022Modified: May 5, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.

Affected (7)

Products: Libexpat Project: Libexpat · Debian: Debian Linux · Oracle: Http Server, Zfs Storage Appliance Kit · +1 more

Show all products

Libexpat Project: Libexpat · Debian: Debian Linux · Oracle: Http Server, Zfs Storage Appliance Kit · Siemens: Sinema Remote Connect Server

Libexpat Project

1 product

1 product

2 products

Zfs Storage Appliance Kit

1 product

Sinema Remote Connect Server

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Libexpat Project Libexpat	Before 2.4.5

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 11.0

Configuration C

4 vulnerable

Vulnerable Software	Affected Versions
Oracle Http Server	Version 12.2.1.3.0
Oracle Http Server	Version 12.2.1.4.0
Oracle Zfs Storage Appliance Kit	Version 8.8
Siemens Sinema Remote Connect Server	Before 3.1

Related CWEs

Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

References (22)

http://packetstormsecurity.com/files/167238/Zoom-XMPP-Stanza-Smuggling-Remote-Code-Execution.html

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

http://www.openwall.com/lists/oss-security/2022/02/19/1

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf

Source: cve@mitre.org

Third Party Advisory

https://github.com/libexpat/libexpat/pull/561

Source: cve@mitre.org

PatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/03/msg00007.html

Source: cve@mitre.org

Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM/

Source: cve@mitre.org

https://security.gentoo.org/glsa/202209-24

Source: cve@mitre.org

Third Party Advisory

https://security.netapp.com/advisory/ntap-20220303-0008/

Source: cve@mitre.org

Third Party Advisory

https://www.debian.org/security/2022/dsa-5085

Source: cve@mitre.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

Source: cve@mitre.org

PatchThird Party Advisory

http://packetstormsecurity.com/files/167238/Zoom-XMPP-Stanza-Smuggling-Remote-Code-Execution.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

http://www.openwall.com/lists/oss-security/2022/02/19/1

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://github.com/libexpat/libexpat/pull/561

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/03/msg00007.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM/

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.gentoo.org/glsa/202209-24

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://security.netapp.com/advisory/ntap-20220303-0008/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.debian.org/security/2022/dsa-5085

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.