Executive Summary

Informations
Name CVE-2003-1564 First vendor Publication 2003-12-31
Vendor Cve Last vendor Modification 2024-02-02

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Overall CVSS Score 6.5
Base Score 6.5 Environmental Score 6.5
impact SubScore 3.6 Temporal Score 6.5
Exploitabality Sub Score 2.8
 
Attack Vector Network Attack Complexity Low
Privileges Required None User Interaction Required
Scope Unchanged Confidentiality Impact None
Integrity Impact None Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

libxml2, possibly before 2.5.0, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, aka the "billion laughs attack."

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1564

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-776 Unrestricted Recursive Entity References in DTDs ('XML Bomb')

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 81

OpenVAS Exploits

Date Description
2011-08-03 Name : FreeBSD Ports: ejabberd
File : nvt/freebsd_ejabberd1.nasl
2009-12-10 Name : Mandriva Security Advisory MDVSA-2009:314 (apr)
File : nvt/mdksa_2009_314.nasl
2009-09-02 Name : FreeBSD Ports: apache
File : nvt/freebsd_apache15.nasl
2009-09-02 Name : Mandrake Security Advisory MDVSA-2009:221 (libneon0.27)
File : nvt/mdksa_2009_221.nasl
2009-06-09 Name : FreeBSD Ports: apr
File : nvt/freebsd_apr.nasl
2009-06-09 Name : Mandrake Security Advisory MDVSA-2009:131 (apr-util)
File : nvt/mdksa_2009_131.nasl
2009-06-09 Name : Mandrake Security Advisory MDVSA-2009:131-1 (apr-util)
File : nvt/mdksa_2009_131_1.nasl
2009-03-06 Name : RedHat Update for libxml2 RHSA-2008:0886-01
File : nvt/gb_RHSA-2008_0886-01_libxml2.nasl
2009-02-27 Name : CentOS Update for libxml2 CESA-2008:0886-01 centos2 i386
File : nvt/gb_CESA-2008_0886-01_libxml2_centos2_i386.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
73175 jabberd14 Entity Expansion Recursion XML Nested Entity Handling DoS

jabberd14 fails to properly detect recursion during entity expansion, allowing a context-dependent attacker to use a crafted XML document to cause a denial of service.
73174 jabberd2 Entity Expansion Recursion XML Nested Entity Handling DoS

jabberd2 fails to properly detect recursion during entity expansion, allowing a context-dependent attacker to use a crafted XML document to cause a denial of service.
73173 citadel Entity Expansion Recursion XML Nested Entity Handling DoS

citadel fails to properly detect recursion during entity expansion, allowing a context-dependent attacker to use a crafted XML document to cause a denial of service.
73172 Prosody Entity Expansion Recursion XML Nested Entity Handling DoS

Prosody fails to properly detect recursion during entity expansion, allowing a context-dependent attacker to use a crafted XML document to cause a denial of service.
73171 LuaExpat Entity Expansion Recursion XML Nested Entity Handling DoS

LuaExpat fails to properly detect recursion during entity expansion, allowing a context-dependent attacker to use a crafted XML document to cause a denial of service.
73170 ejabberd Entity Expansion Recursion XML Nested Entity Handling DoS

ejabberd fails to properly detect recursion during entity expansion, allowing a context-dependent attacker to use a crafted XML document to cause a denial of service.
48157 libxml2 Entity Expansion Recursion XML Nested Entity Handling DoS

Nessus® Vulnerability Scanner

Date Description
2013-01-24 Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2011-0881.nasl - Type : ACT_GATHER_INFO
2013-01-24 Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2011-0882.nasl - Type : ACT_GATHER_INFO
2011-06-27 Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_01d3ab7d9c4311e0bc0f0014a5e3cda6.nasl - Type : ACT_GATHER_INFO
2009-12-04 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2009-314.nasl - Type : ACT_GATHER_INFO
2009-08-25 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2009-221.nasl - Type : ACT_GATHER_INFO
2009-06-08 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2009-131.nasl - Type : ACT_GATHER_INFO
2008-09-12 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2008-0886.nasl - Type : ACT_GATHER_INFO

Sources (Detail)

Source Url
MISC http://www.reddit.com/r/programming/comments/65843/time_to_upgrade_libxml2
http://xmlsoft.org/news.html
MLIST http://mail.gnome.org/archives/xml/2008-August/msg00034.html
http://www.stylusstudio.com/xmldev/200302/post20020.html
REDHAT http://www.redhat.com/support/errata/RHSA-2008-0886.html
SECUNIA http://secunia.com/advisories/31868

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
Date Informations
2024-02-02 17:28:17
  • Multiple Updates
2021-05-04 12:02:13
  • Multiple Updates
2021-04-22 01:02:22
  • Multiple Updates
2020-05-23 00:15:39
  • Multiple Updates
2016-04-26 12:45:24
  • Multiple Updates
2014-02-17 10:27:02
  • Multiple Updates
2013-05-11 11:55:24
  • Multiple Updates