lxml is vulnerable to denial of service attacks. The vulnerability exists through a null pointer dereference in _appendStartNsEvents
function of iterparse.pxi
when incorrect parser input occurs together with usages of iterwalk() on trees generated by the same parser which allows an attacker to cause an application crash.
github.com/advisories/GHSA-wrxv-2j5q-m38w
github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6f
huntr.dev/bounties/8264e74f-edda-4c40-9956-49de635105ba
huntr.dev/bounties/8264e74f-edda-4c40-9956-49de635105ba/
lists.fedoraproject.org/archives/list/[email protected]/message/HGYC6L7ENH5VEGN3YWFBYMGKX6WNS7HZ/
lists.fedoraproject.org/archives/list/[email protected]/message/URHHSIBTPTALXMECRLAC2EVDNAFSR5NO/
security.gentoo.org/glsa/202208-06
security.netapp.com/advisory/ntap-20220915-0006/