Lucene search

UbuntuUSN-5455-1

HistoryJul 19, 2022 - 12:00 a.m.

xmltok library vulnerabilities

2022-07-1900:00:00

ubuntu.com

ubuntu

expat

denial of service

arbitrary code

cve-2012-1148

cve-2015-1283

cve-2016-0718

cve-2016-4472

cve-2018-20843

cve-2019-15903

cve-2021-46143

cve-2022-22822

cve-2022-22823

cve-2022-22824

cve-2022-22825

cve-2022-22826

cve-2022-22827

cve-2022-25235

cve-2022-25236

CVSS2

7.8

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.7

Confidence

Low

EPSS

0.582

Percentile

97.8%

JSON

Releases

Ubuntu 22.04 LTS
Ubuntu 20.04 LTS
Ubuntu 18.04 ESM
Ubuntu 16.04 ESM

Packages

libxmltok - XML Parser Toolkit, runtime libraries

Details

Tim Boddy, Gustavo Grieco and others discovered that Expat, that is
integrated in xmltok library, incorrectly handled certain files.
An attacker could possibly use these issues to cause a denial of
service, or possibly execute arbitrary code. These issues were only
addressed in Ubuntu 16.04 ESM. (CVE-2012-1148, CVE-2015-1283,
CVE-2016-0718, CVE-2016-4472, CVE-2018-20843, CVE-2019-15903,
CVE-2021-46143, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824,
CVE-2022-22825, CVE-2022-22826, CVE-2022-22827)

It was discovered that Expat, that is integrated in xmltok library,
incorrectly handled encoding validation of certain files. An attacker
could possibly use this issue to cause a denial of service, or
possibly execute arbitrary code. (CVE-2022-25235)

It was discovered that Expat, that is integrated in xmltok library,
incorrectly handled namespace URIs of certain files. An attacker
could possibly use this issue to cause a denial of service, or
possibly execute arbitrary code. (CVE-2022-25236)

OSVersionArchitecturePackageVersionFilename
Ubuntu22.04noarchlibxmltok1< 1.2-4ubuntu0.22.04.1~esm1UNKNOWN
Ubuntu22.04noarchlibxmltok1< 1.2-4UNKNOWN
Ubuntu22.04noarchlibxmltok1-dbgsym< 1.2-4UNKNOWN
Ubuntu22.04noarchlibxmltok1-dev< 1.2-4UNKNOWN
Ubuntu20.04noarchlibxmltok1< 1.2-4ubuntu0.20.04.1~esm1UNKNOWN
Ubuntu20.04noarchlibxmltok1< 1.2-4UNKNOWN
Ubuntu20.04noarchlibxmltok1-dbgsym< 1.2-4UNKNOWN
Ubuntu20.04noarchlibxmltok1-dev< 1.2-4UNKNOWN
Ubuntu18.04noarchlibxmltok1< 1.2-4ubuntu0.18.04.1~esm1UNKNOWN
Ubuntu18.04noarchlibxmltok1< 1.2-4UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Ubuntu	22.04	noarch	libxmltok1	< 1.2-4ubuntu0.22.04.1~esm1	UNKNOWN
Ubuntu	22.04	noarch	libxmltok1	< 1.2-4	UNKNOWN
Ubuntu	22.04	noarch	libxmltok1-dbgsym	< 1.2-4	UNKNOWN
Ubuntu	22.04	noarch	libxmltok1-dev	< 1.2-4	UNKNOWN
Ubuntu	20.04	noarch	libxmltok1	< 1.2-4ubuntu0.20.04.1~esm1	UNKNOWN
Ubuntu	20.04	noarch	libxmltok1	< 1.2-4	UNKNOWN
Ubuntu	20.04	noarch	libxmltok1-dbgsym	< 1.2-4	UNKNOWN
Ubuntu	20.04	noarch	libxmltok1-dev	< 1.2-4	UNKNOWN
Ubuntu	18.04	noarch	libxmltok1	< 1.2-4ubuntu0.18.04.1~esm1	UNKNOWN
Ubuntu	18.04	noarch	libxmltok1	< 1.2-4	UNKNOWN