Executive Summary

NameCVE-2011-1753First vendor Publication2011-06-20
VendorCveLast vendor Modification2011-10-29

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Cvss Base Score5Attack RangeNetwork
Cvss Impact Score2.9Attack ComplexityLow
Cvss Expoit Score10AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores


expat_erl.c in ejabberd before 2.1.7 and 3.x before 3.0.0-alpha-3, and exmpp before 0.9.7, does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1753

CWE : Common Weakness Enumeration

100 %CWE-399Resource Management Errors

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:12946
Oval ID: oval:org.mitre.oval:def:12946
Title: DSA-2248-1 ejabberd -- denial of service
Description: Wouter Coekaerts discovered that ejabberd, a distributed XMPP/Jabber server written in Erlang, is vulnerable to the so-called "billion laughs" attack because it does not prevent entity expansion on received data. This allows an attacker to perform denial of service attacks against the service by sending specially crafted XML data to it.
Family: unix Class: patch
Reference(s): DSA-2248-1
Version: 5
Platform(s): Debian GNU/Linux 5.0
Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Product(s): ejabberd
Definition Synopsis:

CPE : Common Platform Enumeration


OpenVAS Exploits

2012-08-10Name : Gentoo Security Advisory GLSA 201206-10 (ejabberd)
File : nvt/glsa_201206_10.nasl
2011-08-03Name : Debian Security Advisory DSA 2248-1 (ejabberd)
File : nvt/deb_2248_1.nasl
2011-08-03Name : FreeBSD Ports: ejabberd
File : nvt/freebsd_ejabberd1.nasl
2011-07-12Name : Fedora Update for ejabberd FEDORA-2011-8415
File : nvt/gb_fedora_2011_8415_ejabberd_fc15.nasl
2011-07-08Name : Fedora Update for ejabberd FEDORA-2011-8437
File : nvt/gb_fedora_2011_8437_ejabberd_fc14.nasl
2011-06-24Name : ejabberd XML Parsing Denial of Service Vulnerability (Windows)
File : nvt/secpod_ejabberd_dos_vuln_win.nasl

Open Source Vulnerability Database (OSVDB)

73170ejabberd Entity Expansion Recursion XML Nested Entity Handling DoS

Nessus® Vulnerability Scanner

2013-01-24Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2011-0881.nasl - Type : ACT_GATHER_INFO
2013-01-24Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2011-0882.nasl - Type : ACT_GATHER_INFO
2012-06-22Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201206-10.nasl - Type : ACT_GATHER_INFO
2011-06-30Name : The remote Fedora host is missing a security update.
File : fedora_2011-8415.nasl - Type : ACT_GATHER_INFO
2011-06-30Name : The remote Fedora host is missing a security update.
File : fedora_2011-8437.nasl - Type : ACT_GATHER_INFO
2011-06-27Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_01d3ab7d9c4311e0bc0f0014a5e3cda6.nasl - Type : ACT_GATHER_INFO
2011-06-10Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2248.nasl - Type : ACT_GATHER_INFO

Sources (Detail)

BID http://www.securityfocus.com/bid/48072
CONFIRM http://www.ejabberd.im/ejabberd-2.1.7
DEBIAN http://www.debian.org/security/2011/dsa-2248
FEDORA http://lists.fedoraproject.org/pipermail/package-announce/2011-June/062099.html
XF http://xforce.iss.net/xforce/xfdb/67769

Alert History

If you want to see full details history, please login or register.
2016-04-26 20:43:53
  • Multiple Updates
2014-02-17 11:02:04
  • Multiple Updates
2013-05-10 22:59:39
  • Multiple Updates