Mission and Overview
NVD is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance (e.g. FISMA).
Resource Status
NVD contains:
CVE Vulnerabilities
38497
Checklists
128
US-CERT Alerts
179
US-CERT Vuln Notes
2345
OVAL Queries
2517
CPE Names
17819

Last updated: Sun Aug 30 12:59:08 EDT 2009

CVE Publication rate: 17.27

Email List

NVD provides four mailing lists to the public. For information and subscription instructions please visit NVD Mailing Lists

Workload Index

Vulnerability Workload Index: 10.01

About Us
NVD is a product of the NIST Computer Security Division and is sponsored by the Department of Homeland Security's National Cyber Security Division. It supports the U.S. government multi-agency (OSD, DHS, NSA, DISA, and NIST) Information Security Automation Program. It is the U.S. government content repository for the Security Content Automation Protocol (SCAP).

National Cyber-Alert System

Vulnerability Summary for CVE-2008-3281

Original release date:08/27/2008
Last revised:06/23/2009
Source: US-CERT/NIST

Overview

libxml2 2.6.32 and earlier does not properly detect recursion during entity expansion in an attribute value, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document.

Impact

CVSS Severity (version 2.0):
CVSS v2 Base Score:4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type:Allows disruption of serviceUnknown

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: BID
Name: 30783
Type: Patch Information
Hyperlink:http://www.securityfocus.com/bid/30783
External Source: FEDORA
Name: FEDORA-2008-7395
Hyperlink:https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00347.html
External Source: FEDORA
Name: FEDORA-2008-7594
Hyperlink:https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00261.html
External Source: REDHAT
Name: RHSA-2008:0836
Hyperlink:https://rhn.redhat.com/errata/RHSA-2008-0836.html
External Source: CONFIRM
Name: https://bugzilla.redhat.com/show_bug.cgi?id=458086
Hyperlink:https://bugzilla.redhat.com/show_bug.cgi?id=458086
External Source: CONFIRM
Name: http://xmlsoft.org/news.html
Hyperlink:http://xmlsoft.org/news.html
External Source: VUPEN
Name: ADV-2009-1621
Hyperlink:http://www.vupen.com/english/advisories/2009/1621
External Source: VUPEN
Name: ADV-2009-1522
Hyperlink:http://www.vupen.com/english/advisories/2009/1522
External Source: MISC
Name: http://www.vmware.com/security/advisories/VMSA-2008-0017.html
Hyperlink:http://www.vmware.com/security/advisories/VMSA-2008-0017.html
External Source: UBUNTU
Name: USN-644-1
Hyperlink:http://www.ubuntulinux.org/support/documentation/usn/usn-644-1
External Source: UBUNTU
Name: USN-640-1
Hyperlink:http://www.ubuntu.com/usn/usn-640-1
External Source: SECTRACK
Name: 1020728
Hyperlink:http://www.securitytracker.com/id?1020728
External Source: BUGTRAQ
Name: 20081031 VMSA-2008-0017 Updated ESX packages for libxml2, ucd-snmp, libtiff
Hyperlink:http://www.securityfocus.com/archive/1/archive/1/497962/100/0/threaded
External Source: MANDRIVA
Name: MDVSA-2008:192
Hyperlink:http://www.mandriva.com/security/advisories?name=MDVSA-2008:192
External Source: MANDRIVA
Name: MDVSA-2008:180
Hyperlink:http://www.mandriva.com/security/advisories?name=MDVSA-2008:180
External Source: VUPEN
Name: ADV-2008-2971
Hyperlink:http://www.frsirt.com/english/advisories/2008/2971
External Source: VUPEN
Name: ADV-2008-2843
Hyperlink:http://www.frsirt.com/english/advisories/2008/2843
External Source: VUPEN
Name: ADV-2008-2419
Hyperlink:http://www.frsirt.com/english/advisories/2008/2419
External Source: DEBIAN
Name: DSA-1631
Hyperlink:http://www.debian.org/security/2008/dsa-1631
External Source: CONFIRM
Name: http://wiki.rpath.com/Advisories:rPSA-2008-0325
Hyperlink:http://wiki.rpath.com/Advisories:rPSA-2008-0325
External Source: CONFIRM
Name: http://svn.gnome.org/viewvc/libxml2?view=revision&revision=3772
Hyperlink:http://svn.gnome.org/viewvc/libxml2?view=revision&revision=3772
External Source: CONFIRM
Name: http://support.apple.com/kb/HT3639
Hyperlink:http://support.apple.com/kb/HT3639
External Source: CONFIRM
Name: http://support.apple.com/kb/HT3613
Hyperlink:http://support.apple.com/kb/HT3613
External Source: GENTOO
Name: GLSA-200812-06
Hyperlink:http://security.gentoo.org/glsa/glsa-200812-06.xml
External Source: SECUNIA
Name: 35379
Hyperlink:http://secunia.com/advisories/35379
External Source: SECUNIA
Name: 32974
Hyperlink:http://secunia.com/advisories/32974
External Source: SECUNIA
Name: 32807
Hyperlink:http://secunia.com/advisories/32807
External Source: SECUNIA
Name: 32488
Hyperlink:http://secunia.com/advisories/32488
External Source: SECUNIA
Name: 31982
Hyperlink:http://secunia.com/advisories/31982
External Source: SECUNIA
Name: 31855
Hyperlink:http://secunia.com/advisories/31855
External Source: SECUNIA
Name: 31748
Hyperlink:http://secunia.com/advisories/31748
External Source: SECUNIA
Name: 31728
Hyperlink:http://secunia.com/advisories/31728
External Source: SECUNIA
Name: 31590
Hyperlink:http://secunia.com/advisories/31590
External Source: SECUNIA
Name: 31566
Hyperlink:http://secunia.com/advisories/31566
External Source: SECUNIA
Name: 31558
Hyperlink:http://secunia.com/advisories/31558
External Source: MLIST
Name: [xml] 20080820 Security fix for libxml2
Hyperlink:http://mail.gnome.org/archives/xml/2008-August/msg00034.html
External Source: MLIST
Name: [Security-announce] 20081030 VMSA-2008-0017 Updated ESX packages for libxml2, ucd-snmp, libtiff
Hyperlink:http://lists.vmware.com/pipermail/security-announce/2008/000039.html
External Source: SUSE
Name: SUSE-SR:2008:018
Hyperlink:http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html
External Source: APPLE
Name: APPLE-SA-2009-06-17-1
Hyperlink:http://lists.apple.com/archives/security-announce/2009/Jun/msg00005.html
External Source: APPLE
Name: APPLE-SA-2009-06-08-1
Hyperlink:http://lists.apple.com/archives/security-announce/2009/jun/msg00002.html

Vulnerable software and versions

Nav control imageConfiguration 1
spacerNav control imageOR
spacerspacerNav control image* cpe:/a:xmlsoft:libxml2:2.4.19
spacerspacerNav control image* cpe:/a:xmlsoft:libxml2:2.4.23
spacerspacerNav control image* cpe:/a:xmlsoft:libxml2:2.5.10
spacerspacerNav control image* cpe:/a:xmlsoft:libxml2:2.5.11
spacerspacerNav control image* cpe:/a:xmlsoft:libxml2:2.5.4
spacerspacerNav control image* cpe:/a:xmlsoft:libxml2:2.6.0
spacerspacerNav control image* cpe:/a:xmlsoft:libxml2:2.6.1
spacerspacerNav control image* cpe:/a:xmlsoft:libxml2:2.6.11
spacerspacerNav control image* cpe:/a:xmlsoft:libxml2:2.6.12
spacerspacerNav control image* cpe:/a:xmlsoft:libxml2:2.6.13
spacerspacerNav control image* cpe:/a:xmlsoft:libxml2:2.6.14
spacerspacerNav control image* cpe:/a:xmlsoft:libxml2:2.6.2
spacerspacerNav control image* cpe:/a:xmlsoft:libxml2:2.6.3
spacerspacerNav control image* cpe:/a:xmlsoft:libxml2:2.6.32 and previous versions
* Denotes Vulnerable Software
* Changes related to vulnerability configurations

Technical Details

Vulnerability Type (View All)
  • Resource Management Errors (CWE-399)
CVE Standard Vulnerability Entry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3281