Lucene search

Ubuntu.comUB:CVE-2024-23807

HistoryFeb 29, 2024 - 12:00 a.m.

CVE-2024-23807

2024-02-2900:00:00

ubuntu.com

apache xerces c++

xml parser

use-after-free error

cve-2024-23807

version 3.0.0

version 3.2.5

external dtds

upgrade

mitigate

dom

sax

xerces_disable_dtd

cve-2018-1311

advisory

version 3.2.3

version 3.2.4

unix

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.014

Percentile

86.6%

JSON

The Apache Xerces C++ XML parser on versions 3.0.0 before 3.2.5 contains a
use-after-free error triggered during the scanning of external DTDs. Users
are recommended to upgrade to version 3.2.5 which fixes the issue, or
mitigate the issue by disabling DTD processing. This can be accomplished
via the DOM using a standard parser feature, or via SAX using the
XERCES_DISABLE_DTD environment variable. This issue has been disclosed
before as CVE-2018-1311, but unfortunately that advisory incorrectly stated
the issue would be fixed in version 3.2.3 or 3.2.4.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchxerces-c< anyUNKNOWN
ubuntu20.04noarchxerces-c< anyUNKNOWN
ubuntu22.04noarchxerces-c< anyUNKNOWN
ubuntu24.04noarchxerces-c< anyUNKNOWN
ubuntu14.04noarchxerces-c< anyUNKNOWN
ubuntu16.04noarchxerces-c< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	xerces-c	< any	UNKNOWN
ubuntu	20.04	noarch	xerces-c	< any	UNKNOWN
ubuntu	22.04	noarch	xerces-c	< any	UNKNOWN
ubuntu	24.04	noarch	xerces-c	< any	UNKNOWN
ubuntu	14.04	noarch	xerces-c	< any	UNKNOWN
ubuntu	16.04	noarch	xerces-c	< any	UNKNOWN