[email protected]CVE-2010-4008

HistoryNov 17, 2010 - 1:00 a.m.

CVE-2010-4008

2010-11-1701:00:02

CWE-119

[email protected]

web.nvd.nist.gov

libxml2

vulnerability

cve-2010-4008

google chrome

apple safari

xpath

denial of service

nvd

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

5.6 Medium

AI Score

Confidence

Low

0.002 Low

EPSS

Percentile

54.4%

JSON

libxml2 before 2.7.8, as used in Google Chrome before 7.0.517.44, Apple Safari 5.0.2 and earlier, and other products, reads from invalid memory locations during processing of malformed XPath expressions, which allows context-dependent attackers to cause a denial of service (application crash) via a crafted XML document.

Affected configurations

NVD

Node

googlechromeRange<7.0.517.44

Node

appleitunesRange<10.2

applesafariRange<5.0.4

appleiphone_osRange<4.2

applemac_os_xRange<10.6.7

Node

xmlsoftlibxml2Range<2.7.8

Node

debiandebian_linuxMatch5.0

debiandebian_linuxMatch6.0

Node

canonicalubuntu_linuxMatch6.06lts

canonicalubuntu_linuxMatch8.04lts

canonicalubuntu_linuxMatch9.10

canonicalubuntu_linuxMatch10.04lts

canonicalubuntu_linuxMatch10.10

Node

redhatenterprise_linux_desktopMatch6.0

redhatenterprise_linux_serverMatch6.0

redhatenterprise_linux_server_eusMatch6.3

redhatenterprise_linux_workstationMatch6.0

Node

opensuseopensuseMatch11.1

opensuseopensuseMatch11.2

opensuseopensuseMatch11.3

susesuse_linux_enterprise_serverMatch10sp3

susesuse_linux_enterprise_serverMatch11-

susesuse_linux_enterprise_serverMatch11sp1

Node

apacheopenofficeRange2.0.0–2.4.3

apacheopenofficeRange3.0.0–3.3.0

CPENameOperatorVersion
google:chromegoogle chromelt7.0.517.44

CPE	Name	Operator	Version
google:chrome	google chrome	lt	7.0.517.44

References

blog.bkis.com/en/libxml2-vulnerability-in-google-chrome-and-apple-safari/

code.google.com/p/chromium/issues/detail?id=58731

googlechromereleases.blogspot.com/2010/11/stable-channel-update.html

lists.apple.com/archives/security-announce/2010//Nov/msg00003.html

lists.apple.com/archives/security-announce/2011//Mar/msg00004.html

lists.apple.com/archives/security-announce/2011/Mar/msg00000.html

lists.apple.com/archives/security-announce/2011/Mar/msg00006.html

lists.opensuse.org/opensuse-security-announce/2010-12/msg00000.html

mail.gnome.org/archives/xml/2010-November/msg00015.html

marc.info/?l=bugtraq&m=130331363227777&w=2

marc.info/?l=bugtraq&m=139447903326211&w=2

rhn.redhat.com/errata/RHSA-2013-0217.html

secunia.com/advisories/40775

secunia.com/advisories/42109

secunia.com/advisories/42175

secunia.com/advisories/42314

secunia.com/advisories/42429

support.apple.com/kb/HT4456

support.apple.com/kb/HT4554

support.apple.com/kb/HT4566

support.apple.com/kb/HT4581

www.debian.org/security/2010/dsa-2128

www.mandriva.com/security/advisories?name=MDVSA-2010:243

www.openoffice.org/security/cves/CVE-2010-4008_CVE-2010-4494.html

www.redhat.com/support/errata/RHSA-2011-1749.html

www.securityfocus.com/bid/44779

www.ubuntu.com/usn/USN-1016-1

www.vupen.com/english/advisories/2010/3046

www.vupen.com/english/advisories/2010/3076

www.vupen.com/english/advisories/2010/3100

www.vupen.com/english/advisories/2011/0230

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12148

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

5.6 Medium

AI Score

Confidence

Low

0.002 Low

EPSS

Percentile

54.4%

JSON

Related for CVE-2010-4008

nessus39 openvas34 ubuntucve1 cvelist1 prion2 nvd2 securityvulns11 ubuntu1 osv1 debiancve1 veracode1 debian2 cve1 gentoo1 oraclelinux3 redhat4 centos2 vmware4 freebsd1 tenable1