Back to search
CVE-2014-3660
Published: Nov 4, 2014
Modified: Aug 6, 2024
PUBLISHED
Description
parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the "billion laughs" attack.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
59903
third-party-advisory
x_refsource_SECUNIA
DSA-3057
vendor-advisory
x_refsource_DEBIAN
https://support.apple.com/kb/HT205030
x_refsource_CONFIRM
70644
vdb-entry
x_refsource_BID
openSUSE-SU-2014:1330
vendor-advisory
x_refsource_SUSE
https://bugzilla.redhat.com/attachment.cgi?id=944444&action=diff
x_refsource_MISC
61966
third-party-advisory
x_refsource_SECUNIA
61965
third-party-advisory
x_refsource_SECUNIA
USN-2389-1
vendor-advisory
x_refsource_UBUNTU
APPLE-SA-2015-08-13-2
vendor-advisory
x_refsource_APPLE
APPLE-SA-2015-08-13-3
vendor-advisory
x_refsource_APPLE
[oss-security] 20141017 libxml2 issue: billioun laughs variant (CVE-2014-3660)
mailing-list
x_refsource_MLIST
MDVSA-2014:244
vendor-advisory
x_refsource_MANDRIVA
RHSA-2014:1655
vendor-advisory
x_refsource_REDHAT
RHSA-2014:1885
vendor-advisory
x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=1149084
x_refsource_CONFIRM
61991
third-party-advisory
x_refsource_SECUNIA
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
x_refsource_CONFIRM
openSUSE-SU-2015:2372
vendor-advisory
x_refsource_SUSE
https://support.apple.com/kb/HT205031
x_refsource_CONFIRM
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now